[ricardonunez]

Of course is the architecture and the creator of such a thing, isn’t the point of a tool like that for users that don’t have the tech knowledge? I have only used those systems on shared hosting, host providers are the one maintaining and should be keeping them up to date and WHM/Cpnel have plenty of customers to worry too patch holes, if they can’t then who’s fault is it, Architecture, or provider? Hope is the customers fault?

[walrus01]

I would worry less about big shared hosting providers, who have a strong interest in patching their stuff quickly, than the market of people who get one or two dedicated servers or KVM VMs and then install cpanel on them and for the rest of the time they use it, ignore the CLI of the servers and never patch anything. There's a lot of small users of cpanel that have just a few licenses.

[TZubiri]

You misunderstood the scope and severity of the bug entirely.

Yes, if you are a single tenant, this diminishes defense in depth, so an attacker that gets access with a user like www-data can escalate to root, sure.

But more importantly, on multi-tenant systems, one tenant can get root and pwn all the other tenants.

Big shared hosting providers are the most vulnerable, 'just patching' stuff might work sure, but there's several scenarios where it might not be enough, like lightning striking twice as it just happened. Or an attacker getting in before the patch.

[walrus01]

I understand the concept of a local privilege escalation just fine, thanks. My point was that large hosting providers are much more likely to have people paying attention to patching these things (and possibly, worst case scenario as you describe, mitigating things if someone does compromise a shared hosting system). Individual one-off cpanel instances may have nobody paying attention to security issues for months or years at a time until something totally breaks.