Cloud Linux’ security platform for Linux-based websites & web servers contains a high-severity PHP de-serialisation bug.
A high-severity security vulnerability in Cloud Linux’s Imunify360 cybersecurity platform could lead to arbitrary code execution & web-server takeover, according to researchers.
Imunify360 is a security platform for Linux-based web servers that allows users to configure various settings for real-time website protection & web-server security.
It offers an advanced firewall, intrusion detection & prevention, antivirus & antimalware scanning, automatic kernel patch updates and a web-host panel integration for managing it all.
According to researchers at Cisco Talos, the bug (CVE-2021-21956) specifically exists in the Ai-Bolit scanning functionality of the Imunift360, which allows webmasters & site administrators to search for viruses, vulnerabilities & malware code.
The bug, which rates 8.2 out of 10 on the CVSSv3.0 vulnerability-severity scale, can lead to a de-serialisation condition with controllable data, which would allow an attacker to then execute arbitrary code.
List of Signatures
It added, “To be more precise…inside the Deobfuscator class, ai-bolit-hoster.php keeps a list of signatures (regex) representing code patterns generated by common obfuscators…When a certain signature (regex) is inside a scanned file, the proper de-obfuscation handler is executed, which tries to pull out essential data from the obfuscated code.”
This handler, called “decodedFileGetContentsWithFunc,” contains a call to the un-serialise function – however, there is no input sanitisation to check whether the function’s input data is malicious, thus giving an attacker an opportunity to execute arbitrary code during un-serialisation.
By default, the Ai-Boilt scanner is installed as a service & works with a root privileges, which would give a successful attacker full control.
“A specially crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability,” according to Cisco Talos’ analysis (which also contains a proof-of-concept exploit).
In practice, there are a couple of ways for an attacker to carry out an exploit in the real world, researchers stated. For one, if Immunify360 is configured with real-time file system scanning, the attacker need only to create a malicious file in the system, they noted.
Or the attacker could also provide a malicious file directly to the target, which would trigger an exploit when a user scans it with the Ai-Bolit scanner.
Those using Imunify360 to protect their Linux webservers should upgrade to the latest version of the platform to prevent successful cyber-attacks – it contains a patch.
Marcin ‘Icewall’ Noga of Cisco Talos is credited with discovering the bug.