On Dec 6th, a Command Execution Vulnerability was disclosed in the open source webmail software called RoundCube. Using this vulnerability, an attacker can easily execute arbitrary system commands, which could be used to inject malware or take control of the server.
Bobcares provides Server Management Services to web hosts, websites and other online businesses. As part of our service, we keep track of vulnerability disclosures, and at this point we’ve patched several servers with a default RoundCube installation.
What is RoundCube Remote Execution Vulnerability?
A remote attacker can inject system commands into a mail content, and RoundCube is unable to filter out these potentially dangerous commands.
All RoundCube versions till v1.2.2 is affected by this vulnerability.
For the attack to happen, the following conditions should be satisfied:
- RoundCube should be configured to use the mail() command to send mails – This is the default setting.
- RoundCube should use “sendmail” to send mails – Again, this is the default setting.
- PHP should not have safe_mode enabled – This is the case with a lot of websites in VPSs.
- An attacker should know the absolute path to the web root – This can be easily guessed in many cases.
Is your server vulnerable?
RoundCube is a popular webmail tool supported by many control panels such as cPanel/WHM and Plesk. Many web hosts and website owners have asked us if their servers are vulnerable.
From what we’ve seen till now, default installations of both cPanel and Plesk is not vulnerable. This is because these control panels use SMTP authentication to send mails.
However, we’ve seen many cases where website owners installed RoundCube from the source. These default installations use PHP mail() function to send mails, and therefore they are vulnerable.
If you’ve setup RoundCube from source, we’d recommend you to upgrade to v1.2.3 ASAP.
IMPORTANT : If you use an older version of cPanel or Plesk, or if you’ve made custom changes to your RoundCube settings, we’d recommend you to get your server audited by a professional server management company.
How to upgrade RoundCube to v1.2.3
Official RPM repos are not available yet for upgrading RoundCube. So, you’ll need to upgrade using the command line.
Upgrades can always be tricky because there could be custom PHP, security, or permission settings in your server that could cause an upgrade to fail.
When we upgraded RoundCube in our customer servers, the following were the precautions and steps we followed:
- Backup the RoundCube folder and databases.
- Disable security settings and make sure file and directory permissions are correct.
- Download the latest version of RoundCube from https://roundcube.net/download
- Pass your RoundCube directory to the installation script. Eg: bin/installto.sh <roundcube-directory>
IMPORTANT : These steps could work in most cases, but if you are not sure of system settings or dependencies, we’d recommend you to seek the help of a professional server management company.
Conclusion
A critical Command Execution Vulnerability was disclosed in RoundCube on 6th Dec. All default installations of RoundCube are affected. Today we’ve covered how to determine if you are vulnerable, and what to do to upgrade RoundCube to the latest version.
0 Comments