Menu Close

Imunify360 Bug – Makes Linux Web Servers Vulnerable to Code Execution & Takeover!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Cloud Linux’ security platform for Linux-based websites & web servers contains a high-severity PHP de-serialisation bug.

A high-severity security vulnerability in Cloud Linux’s Imunify360 cybersecurity platform could lead to arbitrary code execution & web-server takeover, according to researchers.

Imunify360 is a security platform for Linux-based web servers that allows users to configure various settings for real-time website protection & web-server security.

Advanced Firewall

It offers an advanced firewall, intrusion detection & prevention, antivirus & antimalware scanning, automatic kernel patch updates and a web-host panel integration for managing it all.

According to researchers at Cisco Talos, the bug (CVE-2021-21956) specifically exists in the Ai-Bolit scanning functionality of the Imunift360, which allows webmasters & site administrators to search for viruses, vulnerabilities & malware code.

The bug, which rates 8.2 out of 10 on the CVSSv3.0 vulnerability-severity scale, can lead to a de-serialisation condition with controllable data, which would allow an attacker to then execute arbitrary code.

List of Signatures

“A PHP unserialise vulnerability exists in the Ai-Bolit functionality of Cloud Linux Inc Imunify360 5.8 & 5.9,” according to a posting from the firm, issued on Mon.

It added, “To be more precise…inside the Deobfuscator class, ai-bolit-hoster.php keeps a list of signatures (regex) representing code patterns generated by common obfuscators…When a certain signature (regex) is inside a scanned file, the proper de-obfuscation handler is executed, which tries to pull out essential data from the obfuscated code.”

This handler, called “decodedFileGetContentsWithFunc,” contains a call to the un-serialise function – however, there is no input sanitisation to check whether the function’s input data is malicious, thus giving an attacker an opportunity to execute arbitrary code during un-serialisation.

By default, the Ai-Boilt scanner is installed as a service & works with a root privileges, which would give a successful attacker full control.

Exploitation

“A specially crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability,” according to Cisco Talos’ analysis (which also contains a proof-of-concept exploit).

In practice, there are a couple of ways for an attacker to carry out an exploit in the real world, researchers stated. For one, if Immunify360 is configured with real-time file system scanning, the attacker need only to create a malicious file in the system, they noted.

Malicious File

Or the attacker could also provide a malicious file directly to the target, which would trigger an exploit when a user scans it with the Ai-Bolit scanner.

Those using Imunify360 to protect their Linux webservers should upgrade to the latest version of the platform to prevent successful cyber-attacks – it contains a patch.

Marcin ‘Icewall’ Noga of Cisco Talos is credited with discovering the bug.

Virtual Conference December 2021

 

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds