This release contains an important security fix for an authenticated local root vulnerability in the ISPConfig website cron system, the vulnerability has the CVE number CVE-2017-17384 assigned and has been reported to us by Chris Kessler. The update should be installed immediately. All ISPConfig 3 versions before 3.1.9 are affected.
An attacker requires either the correct ISPConfig admin password or a remote user (valid username and password) which has the permissions to create cronjobs or a client login with permission to create cronjobs.
We received reports that the net is currently scanned for ISPConfig installations with weak admin passwords, especially for systems with password ‘admin’. Ensure that your system uses a strong admin user password to protect your server!
The ISPConfig 3.1.9 release scans your system for potentially malicious cronjobs and will report them during update.
In case that you can not install the update right now, then a possible temporary attack prevention is to disable the cron plugin by removing the symlink like this:
rm -f /usr/local/ispconfig/server/plugins-enabled/cron_plugin.inc.php
It is not possible to create cronjobs from within ISPConfig after you deleted that symlink (cronjobs will show up in ISPConfig UI in that case but will not get added to the Linux cron.d directory). The symlink in plugins-enabled folder to the cron plugin in the plugins-available folder has to be added again to get the cron functionality back.
If you like to scan your system for potentially malicious cronjobs on the shell, use this command (copy / paste it on the shell as root user to execute it):
IFS=$'\n' ;
for F in $(find /etc/cron.d -type f -name "ispc_*") ; do
USR=${F:17} ;
if [[ "$USR" = "chrooted_"* ]] ; then
USR=${USR:9} ;
fi ;
USR=${USR%.*} ;
echo "Checking cron file $F for user $USR";
for L in $(awk '{print $6}' "$F") ; do
if [[ "$USR" != "$L" ]] ; then
echo "WARNING: $F contains cron job for user $L" ;
fi ;
done ;
done
The 3.1.9 release contains some other minor bugfixes beside the security fix, please see release notes for details.
The software can be downloaded here:
http://www.ispconfig.org/downloads/ISPConfig-3.1.9.tar.gz
Please take a look at the bug tracker:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
Please report bugs to the ISPConfig bug tracking system:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15
The installation instructions for ISPConfig can be found here:
http://www.ispconfig.org/ispconfig-3/documentation/
To update existing ISPConfig 3 installations, run these commands in the shell:
cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3.1.9.tar.gz tar xvfz ISPConfig-3.1.9.tar.gz cd ispconfig3_install/install php -q update.php
