A authenticated local root vulnerability has been discovered in ISPConfig.
Short Description
A correctly authenticated ISPconfig server administrator is able to modify the group
of a shell user which can be misused to get root access to the server.
ISPConfig is a server control panel: the admin user of ISPConfig is normally the person that administrates the whole server and in most cases this person has the root login details to his server anyway, so the vulnerability has no direct impact here. Systems where the ispconfig admin login details have been given to persons that shall not be able to access the server as root are affected and should be updated immediately or the ispconfig admin password of this other admin should be changed by the root user until ispconfig is updated.
We recommend all ISPConfig users to install the update to 3.0.5.4p2 which fixes the problem and contains also many other bugfixes.
CERT Tracking ID: VRF#HYB1YX6V
Questions and answers
Q: Can someone attack my server trough this exploit remotely?
A: No.
Q: Can someone attack my server without having the correct admin password?
A: No.
Q: Can a client or reseller attack my server trough this vulnerability?
A: No.
Q: Is this a privilege escalation issue?
A: Yes.
Q: Is a fix available for this Issue?
A: Yes, a fix is available already. Update your server to ISPConfig 3.0.5.4p2 by running:
ispconfig_update.sh
as root user on the shell of your server. See release notes for detailed update instructions and changelog.
Q: How can my server be affected by this vulnerability?
A: The server administrator can log into his server and modify
the group of a ssh web user by choosing a higher priveliged group and
then use this ssh user to login by ssh and attack the system.
Q: How did you fix it?
A: We reduced the permissions of the admin user in ispconfig so that he can not
choose non client groups for ssh users.