CloudLinux – CageFS Tmpwatch Arbitrary File Deletion (R911-0181)

Type: Arbitrary File Deletion
Location: Local
Impact: High
Product: CloudLinux
Vulnerable Version: CageFS 5.3-6
Fixed Version: CageFS 5.4-1
R911: 0181
Date: 2015-07-05
By: RACK911 Labs

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

The tmpwatch function of CloudLinux is supposed to clear out temporary files within user directories stored under CageFS. Due to the process being called through the system shell, the process ends up running as root instead of the user which can lead to arbitrary files being deleted elsewhere on the server.


We have deemed this vulnerability to be rated as HIGH due to the fact that system files and other user files can be deleted.

Vulnerable Version:

This vulnerability was tested against CloudLinux CageFS 5.3-6 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux CageFS 5.4-1.

Special Note:

We would like to take a moment to thank the developers of CloudLinux for their always prompt updates in patching our security vulnerabilities. While we understand that no developer would like to have security vulnerabilities present, CloudLinux always takes responsibility and are some of the most dedicated developers we have interacted with. Kudos to them!

Vendor Contact Timeline:

2015-06-26: Vendor contacted via email.
2015-06-26: Vendor confirms vulnerability.
2015-07-02: Vendor issues update.
2015-07-05: RACK911 Labs issues advisory.