Knowledgebase
Portal Home > Knowledgebase > Articles Database > CloudLinux - Privilege Escalation Vulnerability
CloudLinux - Privilege Escalation Vulnerability
Posted by Patrick, 06-17-2013, 12:42 PM Product Description: CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment. Vulnerability Description: Due to an ACL failure an attacker can access a particular function of CloudLinux that was intended only for the root user. The attacker can then manipulate the function due to a failure to sanitize input and run commands as root. Proof of Concept: Due to the nature of this vulnerability we are withholding the proof of concept until a later date to allow everyone ample time to update their software. Impact: We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell. Vulnerable Version: This vulnerability was tested against CloudLinux LVE Manager 0.6-10 and is believed to exist in all prior versions. Fixed Version: This vulnerability was patched in CloudLinux LVE Manager 0.6-11. Vendor Contact Timeline: 2013-06-04: Vendor contacted via email. 2013-06-04: Vendor confirms vulnerability. 2013-06-05: Vendor issues update. 2013-06-17: Rack911 issues security advisory. Last edited by bear; 07-09-2013 at 08:03 AM.
Add to Favourites 
Print this Article
Also Read
