Researchers reveal that a high-severity security flaw in CloudLinux’s Imunify360 cybersecurity technology might lead to arbitrary code execution and web-server takeover. Imunify360, a security platform for Linux-based web servers, allows users to customize a variety of settings for real-time site protection and server security. It includes a powerful firewall, intrusion detection and prevention, antivirus and antimalware scanning, automated kernel patch updates, and management through a web-hosting panel.
The flaw (CVE-2021-21956), according to Cisco Talos researchers, is found in the Imunift360’s Ai-Bolit scanning feature, which allows web admins and site managers to search for malware code, vulnerabilities, and viruses. The flaw might result in a deserialization state with controlled data, allowing an attacker to run arbitrary code.
According to a blog post published by CloudLinux Inc on Monday, the Ai-Bolit capability of CloudLinux Inc Imunify360 5.8 and 5.9 has a PHP unserialize vulnerability. The Ai-Boilt scanner is deployed as a service by default and runs with root capabilities, giving a successful attacker complete control.
According to Cisco Talos’ investigation, a specially constructed misconfigured file can execute arbitrary commands. A cybercriminal can exploit this weakness by sending a malicious file.
Researchers say that there are a few ways for an attacker to carry out an exploit in the real world. For example, they pointed out that if Imunify360 is equipped with real-time file system scanning, an attacker simply has to generate a malicious file on the system. Alternatively, the attacker may send the target a malicious file to activate an exploit when scanned with the Ai-Bolit scanner.
To avoid successful attacks, those employing Imunify360 to defend their Linux webservers should upgrade to the newest version of the platform, which includes a patch.