Major code execution bug in Imunify360 Linux server got patched

The vulnerability exploitation could be used to hijack web servers

Linux had to patch the flaw to avoid web server hijack

Imunify360 flaw left Linux web servers open for the code execution attacks and takeover, reports stated. The high-severity PHP deserialization bug was discovered in the CloudLinux security platform for Linux-based websites.^[1] The arbitrary code could have been executed, according to Cisco Talos' research and analysis.^[2] The platform allows users to configure settings for real-time website protection and web server security.

Additional features include the advanced firewall, intrusion detection, and prevention, anti-malware scanning, automatic patch updates, web-host panel managing. According to the findings, the severe vulnerability^[3] resides in the Ai-Bolit scanning functionality of the Imunify360. This feature allows webmasters and administrators to find malware, bugs, virus payload, and code.

The web server can be hijacked if such a flaw gets exploited, but the research team reported this issue. Linux developers should manage to upgrade their builds to the latest 6.1 version and avoid exploiting the security bug and possible consequences.

Found in the malware scanner feature of the software

The Ai-Bolit is used to scan .php, .js, or .html content and is installed as a service with root privileges, so the exploitation of the vulnerability can give the hacker full control. If the sanitization of submitted files fails the code execution is possible during the unserialization process within the deobfuscation class of the module.

None of the malicious or suspicious data could be detected and neutralized. Attackers could trigger any cyber attack,^[4] create a malicious file on the server, and run the payload file on the server.

To be more precise…inside the Deobfuscator class, ai-bolit-hoster.php keeps a list of signatures (regex) representing code patterns generated by common obfuscators…When a certain signature (regex) is inside a scanned file, the proper de-obfuscation handler is executed, which tries to pull out essential data from the obfuscated code.

Possible exploitation of the security flaw

Any attacker targeting users or enterprises can craft the malicious file and include the arbitrary command. Exploiting the vulnerability can help the hacker trigger the code execution and further infect the server or machines connected to the network. Such vulnerabilities have been exploited many times before and can lead to major issues and consequences.

It is possible for the attackers to use the flaw to their advantage. Researchers noted that Imunify360 is crafted with real-time file system checking, so the threat actor needs to create a file in the system, and the access to act further is gained. This crafted malware-laden file could also be provided to the target in other ways. The exploitation could happen when the user uses the Ai-Bolit scanner later on.

These code executions can include malware infiltration on the network, and there are many possible outcomes and malware types that can be executed on there. The most dangerous and damaging one could be ransomware because a threat like this is mainly focused on creating havoc and gaining money for the developers. However, recent campaigns show that data-stealing and breaches can be a goal for the actors behind such malware.

If the webserver hijacking campaign, for example, is successful, hackers can access credentials, passwords, other sensitive data, credentials, and business information. DDoS attacks,^[5] sniffing attacks, and social engineering campaigns can all be possible. It is best to patch the issue with the latest version.