CloudLinux – Arbitrary File Access (Plesk) (R911-0057)

Type: Arbitrary File Access (Plesk)
Location: Local
Impact: High
Product: CloudLinux
Website: http://www.cloudlinux.com
Vulnerable Version: All versions prior to the fixed builds below.
Fixed Version: cagefs-5.0-10 / lvemanager-0.6-23
CVE: -
R911: 0057
Date: 2013-08-30
By: Rack911

Product Description:

CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

Vulnerability Description:

There is a flaw within the Resource Usage feature of CloudLinux for Plesk that allows an attacker to open any file owned by the ‘psaadm’ (admin) user. The end result is that the attacker would be able to obtain admin access, view client MySQL databases and/or possibly obtain root access through other means.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file owned by the ‘psaadm’ user can be viewed.

Vulnerable Version:

This vulnerability was tested against CloudLinux cagefs-5.0-9 / lvemanager-0.6-21 for Plesk and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudLinux cagefs-5.0-10 / lvemanager-0.6-23 + lvemanager-0.7-1.6 BETA for Plesk.

Vendor Contact Timeline:

2013-08-26: Vendor contacted via email.
2013-08-27: Vendor confirms vulnerability.
2013-08-30: Vendor issues update.
2013-08-30: Rack911 issues security advisory.