CVE-2021-38587
📋 TL;DR
This vulnerability in cPanel's fix-cpanel-perl script allows local attackers to create arbitrary temporary files due to improper handling of file creation. It affects cPanel installations before version 96.0.13. Attackers could potentially escalate privileges or overwrite sensitive files.
💻 Affected Systems
- cPanel
📦 What is this software?
Cpanel by Cpanel
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise, arbitrary file overwrite, or denial of service.
Likely Case
Local user gains unauthorized access to sensitive files or disrupts cPanel functionality.
If Mitigated
Limited impact due to proper file permissions and restricted user access.
🎯 Exploit Status
Exploitation requires local access to the system and knowledge of the vulnerable script.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 96.0.13
Vendor Advisory: https://docs.cpanel.net/changelogs/96-change-log/
Restart Required: No
Instructions:
1. Update cPanel to version 96.0.13 or later using the cPanel update mechanism. 2. Run: /usr/local/cpanel/scripts/upcp --force
🔧 Temporary Workarounds
Restrict script execution
linuxRemove execute permissions from the vulnerable script for non-privileged users
chmod 750 /usr/local/cpanel/scripts/fix-cpanel-perl
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to the system
- Monitor for unauthorized file creation in temporary directories
🔍 How to Verify
Check if Vulnerable:
Check cPanel version: /usr/local/cpanel/cpanel -V | grep '^cPanel Version'Check Version:
/usr/local/cpanel/cpanel -V | grep '^cPanel Version'Verify Fix Applied:
Verify version is 96.0.13 or later: /usr/local/cpanel/cpanel -V📡 Detection & Monitoring
Log Indicators:
- Unusual file creation in /tmp or other temporary directories
- Multiple executions of fix-cpanel-perl script
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
process.name:"fix-cpanel-perl" AND file.path:"/tmp/*"