CVE-2021-38589 – This vulnerability in cPanel's fix-cpanel-perl ... (How to Fix)

Q: What is the severity of CVE-2021-38589?

CVE-2021-38589 has a CVSS score of 8.1 (HIGH). This vulnerability in cPanel's fix-cpanel-perl script allows attackers to overwrite arbitrary files on the system. It affects cPanel installations before version 96.0.13, potentially enabling privilege escalation or system compromise.

📋 TL;DR

This vulnerability in cPanel's fix-cpanel-perl script allows attackers to overwrite arbitrary files on the system. It affects cPanel installations before version 96.0.13, potentially enabling privilege escalation or system compromise.

💻 Affected Systems

Products:

cPanel

Versions: All versions before 96.0.13

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects standard cPanel installations; the fix-cpanel-perl script is part of the core cPanel installation.

📦 What is this software?

Cpanel by Cpanel

View all CVEs affecting Cpanel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary file overwrite leading to privilege escalation, backdoor installation, or complete control of the cPanel server.

🟠

Likely Case

Local privilege escalation allowing attackers to gain root access or compromise other user accounts on shared hosting environments.

🟢

If Mitigated

Limited impact if proper file permissions and access controls are in place, though the vulnerability still presents a significant risk.

🌐 Internet-Facing: MEDIUM - While the script may be accessible via web interfaces, exploitation typically requires some level of access to the system.

🏢 Internal Only: HIGH - This is primarily an internal/local vulnerability that can be exploited by users with shell access or through other compromised services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to execute the vulnerable script, but the vulnerability itself is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 96.0.13 and later

Vendor Advisory: https://docs.cpanel.net/changelogs/96-change-log/

Restart Required: No

Instructions:

1. Log into WHM as root. 2. Navigate to 'Update cPanel & WHM'. 3. Click 'Update to Latest Version Available'. 4. Alternatively, run: /usr/local/cpanel/scripts/upcp --force

🔧 Temporary Workarounds

Restrict script permissions

linux

Temporarily restrict execute permissions on the vulnerable script

chmod 000 /usr/local/cpanel/scripts/fix-cpanel-perl

🧯 If You Can't Patch

Implement strict access controls and monitor for unauthorized script execution
Apply principle of least privilege to all user accounts and services

🔍 How to Verify

Check if Vulnerable:

Check cPanel version: /usr/local/cpanel/cpanel -V | grep '^cPanel Version'

Check Version:

/usr/local/cpanel/cpanel -V

Verify Fix Applied:

Verify version is 96.0.13 or higher: /usr/local/cpanel/cpanel -V

📡 Detection & Monitoring

Log Indicators:

Unusual execution of fix-cpanel-perl script
File modification patterns in system logs
Unexpected privilege escalation attempts

Network Indicators:

Unusual outbound connections following script execution

SIEM Query:

process.name:"fix-cpanel-perl" AND NOT user.name:"root"

📊 Metadata

CVE ID: CVE-2021-38589

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Published: August 11, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.cpanel.net/changelogs/96-change-log/ Release Notes,Vendor Advisory
https://docs.cpanel.net/changelogs/96-change-log/ Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON