In Progress CPANEL-42515 - PCI Scan complaint about Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl

[BowFarmer]

Yesterday’s PCI Scan by Sysnet indicated a Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl.

The details of the scan noted that the cookies for roundcube_sessid, roundcube_sessauth, Horde, horde_secret_key, PPA_ID, and imp_key, all consisted of common characters among subsequent cookies. Actually the values of all the cookies was “expired”. So even though one could not predict a subsequent session ID, since the values were all the same, the PCI Scan software flagged the values as being predictable sessions IDs.

I raised this as a false positive, and Sysnet accepted my explanation and passed my PCI Scan.

But I have RoundCube and Horde disabled. I don't provide any mail services on my server. So why when I go to port 2087 to access WHM, are these cookies even being sent? When I log in, the only cookie that is actually set is whostmgrsession, and that value is a long string and clearly not anything predictable.

Why is WHM wanting to set all these expired cookies (roundcube_sessid, roundcube_sessauth, Horde, horde_secret_key, PPA_ID, and imp_key)?

Is there a way to turn this behavior off?

Safari and Chrome don't even show these cookies because they are all expired. Firefox lists them in the console log with Cookie “x” has been rejected because it is already expired, for each of those cookies.

 

[cPRex]

Hey there! It's a bit late here, and the dev team I want to poke about this is already out, so I'll see if I can get more details for you tomorrow!

 

[cPRex]

I found a case that our developers opened just last Friday about this issue due to all the Horde changes happening recently. That case number is CPANEL-42515, but I don't have a resolution just yet. I did also add a comment about the Roundcube headers to that as well, and I'll share any details I hear with the team here!

 

[BowFarmer]

Thank you.

 

[BowFarmer]

I'm seeing the same expired Set-Cookie requests being made when I bring up the cpanel login screen on port 2083:

* Added cookie roundcube_sessid="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: roundcube_sessid=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure
* Added cookie roundcube_sessauth="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: roundcube_sessauth=expired; HttpOnly; domain=xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure
* Added cookie Horde="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: Horde=expired; HttpOnly; domain=.xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure
* Added cookie horde_secret_key="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: horde_secret_key=expired; HttpOnly; domain=.xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure
* Added cookie Horde="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure
* Added cookie Horde="expired" for domain xyz.com, path /horde, expire 1
< Set-Cookie: Horde=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/horde; port=2083; secure
* Added cookie PPA_ID="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: PPA_ID=expired; HttpOnly; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure
* Added cookie imp_key="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: imp_key=expired; HttpOnly; domain=xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083; secure
* Added cookie Horde="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: Horde=expired; HttpOnly; domain=.xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083
* Added cookie horde_secret_key="expired" for domain xyz.com, path /, expire 1
< Set-Cookie: horde_secret_key=expired; HttpOnly; domain=.xyz.com; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; port=2083

Since the cookies are all expired, they get tossed by browsers.

I am running cPanel 106.0 (build 18). Apache 2.4.55. PHP Version 8.1.16. MySQL Version 8.0.32. OS linux. Kernel Version 3.10.0-1160.81.1.el7.x86_64.

 

[cPRex]

Yes, this would also affect port 2083 as well.

 

[cPRex]

Update - I can confirm this is fixed in version 114. I'm not sure if this is receiving a backport to 110/112 just yet, but once I hear about that I'll be sure to post!