CloudLinux – Privilege Escalation (R911-0024)

Type: Privilege Escalation
Impact: Critical
Product: CloudLinux
Vulnerable Version: LVE Manager 0.6-10
Fixed Version: LVE Manager 0.6-11
CVE: -
R911: 0024
Date: 2013-06-17

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

Due to an ACL failure an attacker can access a certain function of CloudLinux that was intended only for the root user. The attacker can then manipulate the function due to a failure to sanitize input and run commands as root.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.


We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against CloudLinux LVE Manager 0.6-10 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux LVE Manager 0.6-11.

Vendor Contact Timeline:

2013-06-04: Vendor contacted via email.
2013-06-04: Vendor confirms vulnerability.
2013-06-05: Vendor issues update.
2013-06-17: Rack911 issues security advisory.