CloudLinux – CageFS (postmodifyacct) Input Validation Failure (R911-0110)

Type: Input Validation Failure
Location: Remote
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: CageFS 5.2-12
Fixed Version: CageFS 5.2-15
CVE: -
R911: 0110
Date: 2013-12-24
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

Due to an input validation failure present within the postmodifyacct script for cPanel, it is possible for a malicious reseller to disable CageFS and perform other commands intended for an administrator.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that CageFS can be disabled.

Vulnerable Version:

This vulnerability was tested against CloudLinux CageFS 5.2-12 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux CageFS 5.2-15.

Special Note:

We would like to take a moment to thank the developers of CloudLinux for their always prompt updates in patching our security vulnerabilities. While we understand that no developer would like to have security vulnerabilities present, CloudLinux always takes responsibility and are some of the most dedicated developers we have interacted with. Kudos to them!

Vendor Contact Timeline:

2013-12-20: Vendor contacted via email.
2013-12-20: Vendor confirms vulnerability.
2013-12-23: Vendor issues update.
2013-12-24: Rack911 issues security advisory.