Type: Input Validation Failure
Vulnerable Version: CageFS 5.2-12
Fixed Version: CageFS 5.2-15
CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.
Due to an input validation failure present within the postmodifyacct script for cPanel, it is possible for a malicious reseller to disable CageFS and perform other commands intended for an administrator.
We have deemed this vulnerability to be rated as HIGH due to the fact that CageFS can be disabled.
This vulnerability was tested against CloudLinux CageFS 5.2-12 and is believed to exist in all prior versions.
This vulnerability was patched in CloudLinux CageFS 5.2-15.
We would like to take a moment to thank the developers of CloudLinux for their always prompt updates in patching our security vulnerabilities. While we understand that no developer would like to have security vulnerabilities present, CloudLinux always takes responsibility and are some of the most dedicated developers we have interacted with. Kudos to them!
Vendor Contact Timeline:
2013-12-20: Vendor contacted via email.
2013-12-20: Vendor confirms vulnerability.
2013-12-23: Vendor issues update.
2013-12-24: Rack911 issues security advisory.