RCE flaw in ImunifyAV places hundreds of thousands of Linux-hosted websites in danger

The ImunifyAV malware scanner for Linux servers, utilized by tens of hundreds of thousands of internet sites, is weak to a distant code execution vulnerability that may very well be exploited to compromise the internet hosting surroundings.

The problem impacts variations of the AI-bolit malware scanning part previous to 32.7.4.0. The part is current within the Imunify360 suite, the paid ImunifyAV+, and in ImunifyAV, the free model of the malware scanner. 

In accordance with security agency Patchstack, the vulnerability has been recognized since late October, when ImunifyAV’s vendor, CloudLinux, launched fixes. At present, the flaw has not been assigned an identifier.

On November 10, the seller backported the repair to older Imunify360 AV variations. In an advisory yesterday, CloudLinux warned prospects about “a vital security vulnerability” and advisable to “replace the software program as quickly as doable” to model 32.7.4.0

ImunifyAV is a part of the Imunify360 security suite, largely utilized by web-hosting suppliers or generic Linux shared internet hosting environments.

The product is often put in on the internet hosting platform degree, not by end-users immediately. This can be very widespread on shared internet hosting plans, managed WordPress internet hosting, cPanel/WHM servers, and Plesk servers.

Web site house owners not often work together with it immediately, however it’s nonetheless a ubiquitous software operating silently behind 56 million web sites, in accordance with Imunify knowledge from October 2024, which additionally claims greater than 645,000 Imunify360 installations.

The foundation reason behind the flaw is AI-bolit’s deobfuscation logic, which executes attacker-controlled operate names and knowledge extracted from obfuscated PHP information when attempting to unpack malware for scanning it.

This happens as a result of the software makes use of ‘call_user_func_array‘ with out validating the operate names, permitting execution of harmful PHP capabilities reminiscent of system, exec, shell_exec, passthru, eval, and extra.

Patchstack notes that exploiting the vulnerability requires Imunify360 AV to carry out lively deobfuscation in the course of the evaluation step, which is disabled within the default configuration of the standalone AI-Bolit CLI.

Nevertheless, the Imunify360 integration of the scanner part is forcing an ‘all the time on’ state for background scans, on-demand scans, user-initiated scans, and speedy scans, which meets the exploitation requirement.

The researchers shared a proof of idea (PoC) exploit that creates a PHP file within the tmp listing, which can set off distant code execution when scanned by the antivirus.

This might allow full web site compromise, and if the scanner runs with elevated privileges in shared internet hosting setups, the implications might lengthen to full server takeover.

CloudLinux’s repair provides a whitelisting mechanism that solely permits secure, deterministic capabilities to execute throughout deobfuscation, which blocks arbitrary operate execution.

Regardless of the dearth of clear warnings from the seller or a CVE-ID that may assist increase the alarm and monitor the problem, system directors ought to improve to model v32.7.4.0 or newer.

At present, there aren’t any official directions on the way to examine for compromise, no detection steerage, and no affirmation of lively exploitation within the wild.

BleepingComputer has contacted CloudLinux with a request for remark, however we have now not obtained a response by publishing time.