Pierluigi Paganini November 23, 2021

A flaw in CloudLinux’s Imunify360 security product could have been exploited by an attacker for remote code execution.

Cisco’s Talos researchers discovered a remote code execution vulnerability, tracked as CVE-2021-21956, in CloudLinux’s Imunify360 security product.

Imunify360 is a security platform for web-hosting servers that allows to implement real-time protection for website and web servers.

The flaw resides in the Ai-Bolit functionality of CloudLinux Inc Imunify360 and an attacker could exploit it to execute arbitrary code using specially crafted files.

“TALOS-2021-1383 (CVE-2021-21956) could be triggered automatically just after the attacker creates a malicious file in the system if Immunify is configured with real-time file system scanning. It could also be triggered if the user scans a malicious file provided by the attacker with Ai-Bolit scanner. The attacker could cause a deserialization condition with controllable data and then execute arbitrary code.” reads the post published by Talos researchers.

The vulnerability affects the following versions of the AI-Bolit product:

• 30.8.8-1
• 30.8.9-1
• 30.10.3-1
• 31.0.3-1
• 31.1.1-1

The version of AI-Bolit 31.1.2-1 that comes with the ImunifyAV/Imunify360 5.11.3 has addressed the issue.

To check the version of the installs, users can access to Imunify360 agent features from command-line interface (CLI), and run the following command:

imunify360-agent version

Cisco released the SNORTⓇ rules 58252 and 58253 to detect exploitation attempts against this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]