Vulnerability
Affected software: CloudLinux CageFS versions below 6.1.9-2
CloudLinux keeps CageFS excludes in /etc/cagefs/exclude/systemuserlist file, which is generated during CageFS installation. By default it contains user names which might not be in a system, like varnish. If user orders DirectAdmin account named varnish or user is a reseller and creates user varnish, then that user will be outside CageFS.
Solution
Update CageFS to version 6.1.9-2 or later.
Timeline
- 2019-07-26 - Vulnerability reported to vendor.
- 2019-07-26 - Response from vendor.
- 2019-09-12 - Beta version 6.1.9-2 of CageFS released with CAG-940 vulnerability fixed.
- 2019-09-17 - Production version 6.1.9-2 of CageFS released with CAG-940 vulnerability fixed.