Imunify360 Bug Leaves Linux Web Servers Open to Code Execution, Takeover

  • Tara Seals--Threatpost
  • published date: 2021-11-22 19:14:11 UTC

CloudLinux’s security platform for Linux-based websites and web servers contains a high-severity PHP deserialization bug.

<div class="c-article__content js-reading-content"> <p>A high-severity security vulnerability in CloudLinux’s Imunify360 cybersecurity platform could lead to arbitrary code execution and web-server takeover, according to researchers.</p> <p>Imunify360 is a security platform for Linux-based web servers that allows users to configure various settings for real-time website protection and web-server security. It offers an advanced firewall, intrusion detection and prevention, antivirus and antimalware scanning, automatic kernel patch updates, and a web-host panel integration for managing it all.</p> <p>According to researchers at Cisco Talos, the bug (CVE-2021-21956) specifically resides in the Ai-Bolit scanning functionality of the Imunift360, which allows webmasters and site administrators to search for viruses, vulnerabilities and malware code.</p> <p><a href=";utm_medium=ART&amp;utm_campaign=InfosecInsiders_Newsletter_Promo/" target="_blank" rel="noopener"><img loading="lazy" class="aligncenter wp-image-168544 size-full" src="" alt="Infosec Insiders Newsletter" width="700" height="50"></a></p> <p>The bug, which rates 8.2 out of 10 on the CVSSv3.0 vulnerability-severity scale, can lead to a deserialization condition with controllable data that would allow an attacker to then execute arbitrary code.</p> <p>“A <a href="">PHP unserialize vulnerability</a> exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.8 and 5.9,” according to a posting from the firm, <a href="">issued on Monday</a>.</p> <p>It added, “To be more precise…inside the Deobfuscator class, ai-bolit-hoster.php keeps a list of signatures (regex) representing code patterns generated by common obfuscators…When a certain signature (regex) is inside a scanned file, the proper de-obfuscation handler is executed, which tries to pull out essential data from the obfuscated code.”</p> <p>This handler, called “decodedFileGetContentsWithFunc,” contains a call to the unserialize function – however, there’s no input sanitization to check whether the function’s input data is malicious, thus giving an attacker an opportunity to execute arbitrary code during unserialization.</p> <p>By default, the Ai-Boilt scanner is installed as a service and works with root privileges, which would give a successful attacker full control.</p> <h2><strong>Exploitation</strong></h2> <p>“A specially crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability,” according to Cisco Talos’ analysis (which also contains a proof-of-concept exploit).</p> <p>In practice, there are a couple of ways for an attacker to carry out an exploit in the real world, researchers said. For one, if Imunify360 is configured with real-time file system scanning, the attacker need only create a malicious file in the system, they noted. Or, the attacker could also provide a malicious file directly to the target, which would trigger an exploit when a user scans it with the Ai-Bolit scanner.</p> <p>Those using Imunify360 to protect their Linux webservers should upgrade to the latest version of the platform – which contains a patch – to prevent successful cyberattacks.</p> <p>Marcin “Icewall” Noga of Cisco Talos is credited with discovering the bug.</p> <p><strong><em>There’s a sea of unstructured data on the internet relating to the latest security threats. </em></strong><strong><em><a href=";utm_medium=article&amp;utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&amp;utm_id=In+Article">REGISTER TODAY</a></em></strong><strong><em> to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This <a href=";utm_medium=article&amp;utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&amp;utm_id=In+Article">LIVE, interactive Threatpost Town Hall</a>, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.</em></strong></p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Imunify360 Bug Leaves Linux Web Servers Open to Code Execution, Takeover" data-url="" data-counters="no" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="">Web Security</a></li> </ul> </div> </div> </footer> </div>