While Exim is open source software that we bundle with our software and is not built by cPanel, this vulnerability is something that we feel deserves our attention. This is an extremely rare and specific situation that has the potential to impact everyone who interacts with the internet in any way. For that reason, we have released an update to patch this vulnerability for both Version 70 and Version 76. To ensure that your server has received the patch, please update to one of the following versions:
cPanel & WHM Versions 70 and 76 remain End of Life and will receive no other updates. This is a one-time bending of our policy, and we do not plan to pursue any other updates for these versions. We still strongly recommend that you keep your servers updated, and continue to run the most recent versions of cPanel & WHM available.
Exim is the mail server software cPanel & WHM servers use. Last week an exploit for Exim was identified, and today a patch for the exploit was released. This exploit allowed for both local and remote root-level privilege escalation. That means that you won’t need to be able to access the server as a user to exploit the server, as is the case with most security vulnerabilities that are found.
How to Protect Yourself
The best way to protect yourself is to upgrade to a supported version of cPanel & WHM. All supported versions of cPanel & WHM are immune to the exploit. Version 80 was never vulnerable, as it included a newer (and non-vulnerable) version of Exim. Thanks in large part to the improvements we’ve made around installs and updates, we were also able to take that update from Exim, test it, and release an update for Version 78 today.
To confirm you are already running a patched version, you can run this command on the server:
rpm -q exim
The output will show you the Exim versions that are installed, and should look something like what’s below:
For Version 78: exim-4.92-1.cp1178.x86_64
For Version 80: exim-4.92-1.cp1180.x86_64
cPanel & WHM Version 76 Not Patched (now patched, see above update)
cPanel & WHM Version 76 reached end of life in April of this year and was the last version to support EasyApache 3. Some hosting providers have not yet migrated to EasyApache 4, which means they are prevented from upgrading beyond Version 76. If you are using EasyApache 3, you are not only vulnerable to this exploit, but also dozens of exploits that exist in the now end-of-life versions of Apache and PHP used by EasyApache 3.
If you are concerned about migrating to EasyApache 4, you shouldn’t be! Migrating to EasyApache 4 is easy! Our Documentation breaks down all of the changes that have been made in the migration process in The EasyApache 3 to EasyApache 4 Migration Process. Any concerns about specific parts of the migration can be eased by reviewing the Current Status of EasyApache 4 documentation, which breaks down all of the bits we took into account.
Migrating can be done with the click of a button inside WHM. Just log in, go to the EasyApache 4 interface, and click Migrate. The command line steps to migrate can be found in our How to Install EasyApache 4 documentation as well.
There are no known-good workarounds at this time. The only way to ensure that you are protected is to upgrade your server to a patched version. Both Versions 78 and 80 are patched at this time. You can also see the CVE-2019-10149 Exim page in our documentation for more information about our response.
1110 Palms Airport Drive, Suite 110
Las Vegas, NV 89119