CloudLinux’ security platform for Linux-dependent internet sites and web servers incorporates a higher-severity PHP deserialization bug.
A high-severity security vulnerability in CloudLinux’s Imunify360 cybersecurity system could lead to arbitrary code execution and web-server takeover, according to researchers.
Imunify360 is a security platform for Linux-centered web servers that enables users to configure different configurations for true-time website protection and web-server security. It provides an highly developed firewall, intrusion detection and avoidance, antivirus and antimalware scanning, automated kernel patch updates and a web-host panel integration for running it all.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
In accordance to researchers at Cisco Talos, the bug (CVE-2021-21956) specially exists in the Ai-Bolit scanning features of the Imunift360, which will allow website owners and web page administrators to look for for viruses, vulnerabilities and malware code.
The bug, which premiums 8.2 out of 10 on the CVSSv3. vulnerability-severity scale, can direct to a deserialization problem with controllable knowledge, that would allow an attacker to then execute arbitrary code.
“A PHP unserialize vulnerability exists in the Ai-Bolit features of CloudLinux Inc Imunify360 5.8 and 5.9,” according to a putting up from the agency, issued on Monday.
It additional, “To be additional precise…inside the Deobfuscator course, ai-bolit-hoster.php keeps a checklist of signatures (regex) symbolizing code designs created by prevalent obfuscators…When a selected signature (regex) is inside a scanned file, the proper de-obfuscation handler is executed, which tries to pull out critical facts from the obfuscated code.”
This handler, called “decodedFileGetContentsWithFunc,” incorporates a phone to the unserialize functionality – however, there’s no enter sanitization to look at no matter if the function’s enter info is malicious, hence supplying an attacker an prospect to execute arbitrary code in the course of unserialization.
By default, the Ai-Boilt scanner is set up as a service and works with a root privileges, which would give a prosperous attacker full management.
Exploitation
“A specially crafted malformed file can guide to possible arbitrary command execution. An attacker can present a destructive file to bring about this vulnerability,” according to Cisco Talos’ analysis (which also is made up of a proof-of-strategy exploit).
In exercise, there are a couple of approaches for an attacker to carry out an exploit in the true globe, researchers explained. For one particular, if Immunify360 is configured with authentic-time file program scanning, the attacker will need only to develop a destructive file in the system, they mentioned. Or, the attacker could also provide a malicious file straight to the goal, which would trigger an exploit when a consumer scans it with the Ai-Bolit scanner.
These using Imunify360 to safeguard their Linux webservers ought to enhance to the newest variation of the platform to avert profitable cyberattacks – it incorporates a patch.
Marcin ‘Icewall’ Noga of Cisco Talos is credited with finding the bug.
Some components of this report are sourced from:
threatpost.com