CVE-2021-38584
📋 TL;DR
This vulnerability allows XML External Entity (XXE) attacks through the WHM Locale Upload feature in cPanel. Attackers can exploit this to read arbitrary files from the server, potentially accessing sensitive configuration files or credentials. All cPanel installations before version 98.0.1 are affected.
💻 Affected Systems
- cPanel
📦 What is this software?
Cpanel by Cpanel
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/shadow, SSH keys, or database credentials, leading to privilege escalation and lateral movement.
Likely Case
Information disclosure of sensitive server files, potentially exposing configuration data, user information, or credentials.
If Mitigated
Limited impact if proper input validation and XML parsing restrictions are in place, preventing file read operations.
🎯 Exploit Status
Exploitation requires WHM administrative credentials. XXE attacks are well-documented and relatively easy to execute with proper access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 98.0.1
Vendor Advisory: https://docs.cpanel.net/changelogs/98-change-log/
Restart Required: No
Instructions:
1. Log into WHM as root. 2. Navigate to 'Update cPanel & WHM'. 3. Click 'Update to Latest Version'. 4. Confirm the update to version 98.0.1 or later. 5. Verify the update completes successfully.
🔧 Temporary Workarounds
Disable Locale Upload Feature
linuxTemporarily disable the vulnerable WHM Locale Upload feature until patching is possible.
# Remove or restrict access to locale upload functionality
# This may require custom configuration changes or feature disabling in WHM
Restrict WHM Access
linuxLimit WHM access to trusted IP addresses only through firewall rules.
iptables -A INPUT -p tcp --dport 2087 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 2087 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WHM servers from sensitive internal systems
- Enable detailed logging and monitoring of WHM access and file read attempts
🔍 How to Verify
Check if Vulnerable:
Check cPanel version via WHM interface or run: /usr/local/cpanel/cpanel -VCheck Version:
/usr/local/cpanel/cpanel -VVerify Fix Applied:
Verify version is 98.0.1 or later: /usr/local/cpanel/cpanel -V | grep -q '98.0.1' && echo 'Patched'📡 Detection & Monitoring
Log Indicators:
- Unusual XML file uploads via WHM
- Multiple failed locale upload attempts
- File read operations from unexpected WHM sessions
Network Indicators:
- XML payloads containing external entity references in WHM traffic
- Unusual outbound connections from WHM server following uploads
SIEM Query:
source="whm_logs" AND ("locale upload" OR "XML" OR "XXE") AND ("file read" OR "external entity")