Critical RCE Vulnerability in ImunifyAV Endangers Linux-hosted Websites

RCE Vulnerability in ImunifyAV Puts Linux-Hosted Sites at Risk

Millions of Linux-hosted websites are facing a significant security threat due to a remote code execution vulnerability in the ImunifyAV malware scanner. This vulnerability could potentially compromise the hosting environment, posing a serious risk to website owners.

The vulnerability specifically affects versions of the AI-bolit malware scanning component prior to 32.7.4.0. This component is utilized in the Imunify360 suite, the paid ImunifyAV+, and the free version of the malware scanner, ImunifyAV.

CloudLinux, the vendor of ImunifyAV, released fixes for the vulnerability in late October. Despite not having an assigned identifier, the flaw is considered critical due to its potential impact on hosting environments.

CloudLinux issued an advisory urging customers to update their software to version 32.7.4.0 to address the critical security vulnerability. The backported fix was also applied to older versions of Imunify360 AV on November 10.

ImunifyAV is a key component of the Imunify360 security suite commonly used by web-hosting providers and Linux shared hosting environments. While website owners may not directly interact with ImunifyAV, it plays a crucial role in safeguarding over 56 million websites.

The vulnerability stems from AI-bolit’s deobfuscation logic, which allows the execution of attacker-controlled function names and data extracted from obfuscated PHP files. This flaw enables the execution of dangerous PHP functions like system, exec, shell_exec, and more.

To exploit the vulnerability, Imunify360 AV must perform active deobfuscation during the analysis step. While the default configuration of the standalone AI-Bolit CLI disables this feature, the Imunify360 integration makes it susceptible to exploitation.

CloudLinux’s fix introduces a whitelisting mechanism that restricts the execution of safe functions during deobfuscation, preventing arbitrary function execution. System administrators are strongly advised to upgrade to version 32.7.4.0 or newer to mitigate the risk.

This proof of concept exploit demonstrates how a PHP file in the tmp directory can trigger remote code execution when scanned by the antivirus, potentially leading to full website compromise.

While there are no official instructions for checking compromise or detecting active exploitation in the wild, system administrators should remain vigilant and prioritize updating their ImunifyAV installations.

If you require additional information or clarification on this matter, feel free to reach out to CloudLinux for further insights.