Type: Arbitrary Command Execution (Plesk)
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: cagefs-5.0-10 / lvemanager-0.6-23
CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.
There is a flaw within the PHP Selector feature of CloudLinux for Plesk that allows an attacker to run commands as the ‘psaadm’ (admin) user. The end result is that the attacker would be able to obtain admin access, view client MySQL databases and/or possibly obtain root access through other means.
Proof of Concept:
Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.
We have deemed this vulnerability to be rated as HIGH due to the fact that any file owned by the ‘psaadm’ user can be viewed.
This vulnerability was tested against CloudLinux cagefs-5.0-9 / lvemanager-0.6-21 for Plesk and is believed to exist in all prior versions.
This vulnerability was patched in CloudLinux cagefs-5.0-10 / lvemanager-0.6-23 + lvemanager-0.7-1.6 BETA for Plesk.
Vendor Contact Timeline:
2013-08-26: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-30: Vendor issues update.
2013-08-30: Rack911 issues security advisory.