A security advisory was issued by SBA Research, identifying a vulnerability in the CloudLinux CageFS version 7.1.1-1 and below. This vulnerability allows local users to view the authentication token via the process list and gain code execution as another user. The severity of this vulnerability is high, as it has a CVSS base score of 7.8.
CloudLinux OS, developed by CloudLinux Inc., is a leading platform for multitenancy. It isolates each tenant and allocates server resources, creating a more secure and stable environment. However, the identified vulnerability in the CageFS system poses a significant risk to the security of the platform.
The vulnerability arises from the fact that the CageFS environment allows limited execution of commands outside the restricted environment for users. This is achieved through a CageFS daemon that runs outside the environment and is accessible via a UNIX socket from within the CageFS environment. The UNIX socket is handled by `proxyexec`, and wrapper scripts placed within the CageFS environment call `proxyexec` for execution of commands outside of the CageFS environment. These wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token` and pass it to the `proxyexec` command as a command-line argument.
The issue arises when the `lve_namespaces` service or the virtualized proc filesystem feature is disabled. In this case, a local user can obtain the CageFS authentication token of other users by exploiting the vulnerability. This allows attackers to gain code execution as those users, posing a serious security threat.
The recommended countermeasure to address this vulnerability is to avoid passing sensitive information as a command line argument. Instead, `proxyexec` should directly read the CageFS token from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS daemon via the UNIX socket.
The timeline for the identification and disclosure of this vulnerability spans from July 2020 to January 2024, indicating an extended period from initial discovery to public disclosure. The vendor, CloudLinux Inc., responded to the vulnerability by releasing version 7.1.2-2, which fixes the issue.
In conclusion, the vulnerability in the CloudLinux CageFS system poses a significant security risk to the platform. However, with the release of version 7.1.2-2, users are urged to update their systems to the fixed version to mitigate the risk of exploitation. It is essential for users and administrators to stay vigilant about potential security vulnerabilities and promptly update their systems to ensure the safety and integrity of their environment.