Full Report
The ImunifyAV malware scanner for Linux server, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment. [...]
Analysis Summary
# Vulnerability: Remote Code Execution in ImunifyAV Deobfuscation Logic
## CVE Details
- CVE ID: Not yet assigned
- CVSS Score: Information unavailable (Assumed High, given RCE)
- CWE: Specific CWE not provided, but relates to improper input validation/execution context.
## Affected Systems
- Products: ImunifyAV, ImunifyAV+ (paid), and Imunify360 suite (specifically the AI-bolit malware scanning component).
- Versions: Prior to AI-bolit version **32.7.4.0**.
- Configurations: Exploitation is confirmed when the scanner component is actively deobfuscating files (e.g., scans within the Imunify360 integration setup), even if default CLI deobfuscation is disabled.
## Vulnerability Description
The vulnerability resides in the AI-bolit malware scanner's deobfuscation logic. When scanning obfuscated PHP files, the tool uses `_call_user_func_array_` with attacker-controlled function names and data extracted directly from the obfuscated content without proper validation. This allows an attacker to inject and execute arbitrary, dangerous PHP functions (such as `system`, `exec`, `shell_exec`, `passthru`, `eval`) by crafting specific malware samples that trigger this logic during scanning.
## Exploitation
- Status: **PoC available**. Not explicitly noted as exploited in the wild at the time of reporting.
- Complexity: Implied Low to Medium, as it requires placing a specially crafted file that will be processed by the scanner.
- Attack Vector: Network (via uploading malicious files that will later be scanned) or Indirect.
## Impact
- Confidentiality: High (Potential full compromise of the hosting environment/website).
- Integrity: High (Potential modification or complete takeover of the server).
- Availability: High (Potential for denial of service or full system compromise).
## Remediation
### Patches
- **Upgrade ImunifyAV / Imunify360 to version 32.7.4.0 or newer.**
- The fix involves implementing a whitelisting mechanism that only permits safe, deterministic functions to execute during the deobfuscation process, thereby blocking arbitrary function execution.
### Workarounds
- No explicit workarounds were detailed other than immediately updating the software.
## Detection
- **Indicators of Compromise (IoCs):** Not explicitly detailed regarding post-exploitation TTPs. Focus should be on monitoring for unexpected execution of system binaries by the AV scanner process user.
- **Detection Methods and Tools:** Standard file integrity monitoring (FIM) on configuration or core files, and monitoring system logs for unusual command executions originating from the malware scanner's process context.
## References
- Vendor Advisory: hxxps://cloudlinux.zendesk.com/hc/en-us/articles/23364954576540-Ai-Bolit-security-vulnerability-before-v32-7-4-0-incident99
- Patchstack Advisory: hxxps://patchstack.com/articles/remote-code-execution-vulnerability-found-in-imunify360
- Changelog Reference: hxxps://changelog.imunify.com/imunify360
- PoC Source: Mentioned as provided by Patchstack.