Marcin “Icewall” Noga of Cisco Talos.

Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution.

Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security. TALOS-2021-1383 (CVE-2021-21956) could be triggered automatically just after the attacker creates a malicious file in the system if Immunify is configured with real-time file system scanning. It could also be triggered if the user scans a malicious file provided by the attacker with Ai-Bolit scanner. The attacker could cause a deserialization condition with controllable data and then execute arbitrary code.

Cisco Talos worked with CloudLinux to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: CloudLinux Inc. Imunify360, versions 5.8 and 5.9. Talos tested and confirmed these versions of Imunify360 could be exploited by this vulnerability.

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 58252 and 58253. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.