Imunify360 AV Flaw Exposes 56M Sites to Takeover

A critical security flaw in Imunify360 AV, a widely used security scanner, has left up to 56 million websites vulnerable to complete server takeover. Cybersecurity firm Patchstack recently uncovered the vulnerability, warning that unpatched versions could allow attackers to gain full control over hosting platforms and all sites they serve. This remote code execution (RCE) vulnerability presents a severe risk, particularly for shared hosting environments.

Understanding the Imunify360 AV Vulnerability

Imunify360 AV is a robust malware scanning system deployed by numerous hosting providers to safeguard their infrastructure. The newly identified flaw resides within its AI-Bolit file-scanning engine and a separate database-scanning module. This dual vulnerability means attackers have two distinct avenues to compromise servers, potentially leading to full server takeover and endangering millions of hosted websites.

Patchstack detailed the potential impact, explaining that "Remote attackers can embed specifically crafted obfuscated PHP that matches imunify360AV (AI-bolit) deobfuscation signatures. The deobfuscator will execute extracted functions on attacker-controlled data, allowing execution of arbitrary system commands or arbitrary PHP code. Impact ranges from website compromise to full server takeover depending on hosting configuration and privileges."

The firm further highlighted the challenge of detection, noting, "Detection is non-trivial because the malicious payloads are obfuscated (hex escapes, packed payloads, base64/gzinflate chains, custom delta/ord transformations) and are intended to be deobfuscated by the tool itself."

Crucially, Imunify360 AV (Ai-Bolit) is a malware scanner specialized in website-related files, and by default, it "is installed as a service and works with a root privileges." This elevated access means that on shared hosting, "successful exploitation can lead to privilege escalation and root access... an attacker could leverage RCE to move from a single compromised site to complete host control."

The scanner's own design paradoxically facilitates the exploit. Its ability to deobfuscate complex payloads becomes the very mechanism attackers use. Once the scanner decodes attacker-supplied functions, it executes them with its existing, often elevated, privileges. This direct link between deobfuscation, privilege level, and execution underscores why Patchstack rates the potential impact as severe, ranging up to full server takeover.

Two Paths to Exploitation: File and Database Scanners

Initially, security researchers identified a flaw in the file scanner. However, further investigation revealed that the database-scanning module was vulnerable in precisely the same manner. Both the file and database malware scanning components pass malicious code into Imunify360's internal routines, which then execute the untrusted code. This provides attackers with two distinct methods to trigger the remote code execution vulnerability.

Why This Vulnerability is Easy to Exploit

Exploiting the file-scanner vulnerability requires an attacker to place a harmful file onto the server in a location that Imunify360 would eventually scan. However, the database-scanner vulnerability is significantly easier to exploit, requiring only the ability to write to the database—a common capability on shared hosting platforms.

Since common user inputs like comment forms, contact forms, profile fields, and search logs can write data to a database, injecting malicious content becomes straightforward for an attacker, even without prior authentication. This broadens the scope of the vulnerability beyond typical malware execution flaws, transforming routine user input into a potent vector for remote code execution.

Vendor Silence and Disclosure Timeline Concerns

According to Patchstack, a patch for the vulnerability has been issued by Imunify360 AV. However, there has been no public statement regarding the issue, nor has a CVE (Common Vulnerabilities and Exposures) identifier been assigned. A CVE provides a standardized, public record of software vulnerabilities, crucial for risk management and ensuring affected parties are aware of the flaw.

Patchstack noted, "This vulnerability has been known since late October, and customers began receiving notifications shortly thereafter... Unfortunately there has been no statement released about the issue by Imunify360’s team, and no CVE has yet been assigned. At the same time, the issue has been publicly available on their Zendesk since November 4, 2023."

Based on their review, Patchstack considers the CVSS (Common Vulnerability Scoring System) score for this vulnerability to be a critical 9.9.

The absence of a public statement or CVE raises concerns that many users and potential users may remain unaware of the critical vulnerability, despite the patch being available and the issue being listed on Imunify360's Zendesk.

Recommended Actions for Administrators

Patchstack urges server administrators running Imunify360 AV (AI-bolit) versions prior to 32.7.4.0 to take immediate action:

• Apply Vendor Security Updates: Immediately update Imunify360 AV to the latest patched version.
• Remove Tool if Patching is Not Possible: If an immediate patch cannot be applied, consider temporarily removing the tool.
• Restrict Execution Environment: If removal or immediate patching isn't feasible, restrict the tool’s execution environment. This includes running it in an isolated container with minimal privileges.
• Contact Support: All administrators are strongly encouraged to contact CloudLinux / Imunify360 support to report potential exposure, confirm if their environment was affected, and collaborate on post-incident guidance.

Prompt action is essential to mitigate the significant risks posed by this critical Imunify360 AV vulnerability and protect hosted websites from potential server takeover.