Executive Summary

This vulnerability is an eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before version 32.7.4. It allows attackers to execute arbitrary code by injecting malicious input into the eval function, which can lead to overwriting arbitrary files with root privileges when scanning a crafted file.

Useful 0 Not Useful 0

Detection Guidance

You can detect if your system is vulnerable by checking the installed version of the ai-bolit package. For RPM-based systems (CentOS/CloudLinux/AlmaLinux), use the command: `rpm -qa | grep ai-bolit`. For Debian-based systems (Debian/Ubuntu), use: `dpkg -l | grep ai-bolit`. If the version is prior to 32.7.4-1, your system is vulnerable. There is no specific network detection command provided, but monitoring for suspicious file scans or unexpected root file overwrites could be indicative. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step is to upgrade the ai-bolit package to version 32.7.4-1 or later using your system's package manager (yum for RPM-based systems, apt-get for Debian-based systems). If upgrading immediately is not possible, temporarily disable all types of file scans including scheduled, real-time, FTP, and ModSecurity uploads by modifying configuration settings to disable malware scanning features and scheduled scans or restrict scans to trusted users only. Automatic updates are strongly recommended as the primary defense. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can allow attackers to overwrite arbitrary files as root, potentially leading to full system compromise, unauthorized data modification, or disruption of system operations.

Useful 0 Not Useful 0