Imunify360 Bug – Makes Linux Web Servers Vulnerable to Code Execution & Takeover!

Imunify360 Bug – Makes Linux Web Servers Vulnerable to Code Execution & Takeover!

Cloud Linux’ security platform for Linux-based websites & web servers contains a high-severity PHP de-serialisation bug.

A high-severity security vulnerability in Cloud Linux’s Imunify360 cybersecurity platform could lead to arbitrary code execution & web-server takeover, according to researchers.

Imunify360 is a security platform for Linux-based web servers that allows users to configure various settings for real-time website protection & web-server security.

Advanced Firewall

It offers an advanced firewall, intrusion detection & prevention, antivirus & antimalware scanning, automatic kernel patch updates and a web-host panel integration for managing it all.

According to researchers at Cisco Talos, the bug (CVE-2021-21956) specifically exists in the Ai-Bolit scanning functionality of the Imunift360, which allows webmasters & site administrators to search for viruses, vulnerabilities & malware code.

The bug, which rates 8.2 out of 10 on the CVSSv3.0 vulnerability-severity scale, can lead to a de-serialisation condition with controllable data, which would allow an attacker to then execute arbitrary code.

List of Signatures

“A PHP unserialise vulnerability exists in the Ai-Bolit functionality of Cloud Linux Inc Imunify360 5.8 & 5.9,” according to a posting from the firm, issued on Mon.

It added, “To be more precise…inside the Deobfuscator class, ai-bolit-hoster.php keeps a list of signatures (regex) representing code patterns generated by common obfuscators…When a certain signature (regex) is inside a scanned file, the proper de-obfuscation handler is executed, which tries to pull out essential data from the obfuscated code.”

This handler, called “decodedFileGetContentsWithFunc,” contains a call to the un-serialise function – however, there is no input sanitisation to check whether the function’s input data is malicious, thus giving an attacker an opportunity to execute arbitrary code during un-serialisation.

By default, the Ai-Boilt scanner is installed as a service & works with a root privileges, which would give a successful attacker full control.


“A specially crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability,” according to Cisco Talos’ analysis (which also contains a proof-of-concept exploit).

In practice, there are a couple of ways for an attacker to carry out an exploit in the real world, researchers stated. For one, if Immunify360 is configured with real-time file system scanning, the attacker need only to create a malicious file in the system, they noted.

Malicious File

Or the attacker could also provide a malicious file directly to the target, which would trigger an exploit when a user scans it with the Ai-Bolit scanner.

Those using Imunify360 to protect their Linux webservers should upgrade to the latest version of the platform to prevent successful cyber-attacks – it contains a patch.

Marcin ‘Icewall’ Noga of Cisco Talos is credited with discovering the bug.