CloudLinux – Content Disclosure (R911-0049)

Type: Content Disclosure (Root Access)
Location: Local
Impact: High
Product: CloudLinux
Vulnerable Version: CageFS 5.0-8
Fixed Version: CageFS 5.0-9
R911: 0049
Date: 2013-08-09

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

There is a flaw within the CageFS portion of CloudLinux that allows an attacker to disclose the contents of any file on the server regardless of file ownership.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.


We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed.

Vulnerable Version:

This vulnerability was tested against CloudLinux CageFS 5.0-8 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux CageFS 5.0-9.

Vendor Contact Timeline:

2013-08-08: Vendor contacted via email.
2013-08-08: Vendor confirms vulnerability.
2013-08-09: Vendor issues update.
2013-08-09: Rack911 issues security advisory.