Code execution bug patched in Imunify360 Linux server security suite

Updated: The vulnerability could be used to hijack web servers.
Written by Charlie Osborne, Contributing Writer

A severe PHP deserialization vulnerability leading to code execution has been patched in Imunify360. 

Discovered by Cisco Talos researcher Marcin 'Icewall' Noga, the vulnerability "could cause a deserialization condition with controllable data and then execute arbitrary code," leaving web servers open to hijacking. 

Tracked as CVE-2021-21956 and issued a CVSSv3 score of 8.2, the security flaw is present in CloudLinux's Imunify360 versions 5.8 and 5.9. Imunify360 is a security suite for Linux web servers including patch management, domain blacklisting, and firewall features. 

In a security advisory published on Monday, Cisco Talos said the flaw was found in the Ai-Bolit malware scanner functionality of the software. 

The Ai-Bolit component is used to scan and check website-related files, such as .php, .js, or .html content, and is installed natively as a service with root privileges. Within a deobfuscation class of the module, a failure to sanitize data that has been submitted means that arbitrary code execution can be performed during unserialization. 

If the software is configured for real-time file system scanning, attackers could trigger an attack by creating a malicious file in the target server, or if a user is duped into performing a scan on a crafted payload file on behalf of the threat actor. 

Cisco reported its findings to the vendor on October 1 and coordinated public disclosure was agreed upon. Linux web developers making use of Imunify360 should upgrade their builds to the latest release, at the time of writing, version 6.1

Update 15.57 GMT:

"After validating the vulnerability report information, the Imunify team prepared and released updated versions of the affected software" commented Dmitry Tkachuk, Head of Product Development at Imunify. "If you're running version 5.11.3 or later of AI Bolit, the update is automatic (and you're likely already running a protected version or you will be receiving the update very soon). At this time, there is no known exploit in the wild [...] We would like to thank the Talos team for their cooperation."  

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards