A severe PHP deserialization vulnerability leading to code execution has been patched in Imunify360.
Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security like advanced firewall, intrusion detection and prevention, antivirus and antimalware scanning, automatic kernel patch updates, and a web-host panel integration for managing it all.
Tracked as CVE-2021-21956 and issued a CVSSv3 score of 8.2, the security flaw is present in Cloud Linux’s Imunify360 versions 5.8 and 5.9.
The Ai-Bolit component is used to scan and check website-related files, such as .php, .js, or .html content, and is installed natively as a service with root privileges. Within a deobfuscation class of the module, a failure to sanitize data that has been submitted means that arbitrary code execution can be performed during unserialization.
A specially crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability
if Imunify360 is configured with real-time file system scanning, the attacker need only create a malicious file in the system, they noted. Or the attacker could also provide a malicious file directly to the target, which would trigger an exploit when a user scans it with the Ai-Bolit scanner.
Users are encouraged to update these affected products as soon as possible: Cloud Linux Inc. Imunify360, versions 5.8 and 5.9 to version 6.1.
The following SNORT rules 58252 and 58253 will detect exploitation attempts against this vulnerability