CIS CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2015-017

DATE(S) ISSUED:
02/23/2015

SUBJECT:
Vulnerability in PHP Could Allow Remote Code Execution

OVERVIEW:

A vulnerability has been discovered in PHP which could allow an attacker to remotely disclose source code and potentially execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of a webserver. Failed attempts will likely result in denial-of-service conditions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild. There are known exploits for these vulnerabilities.

SYSTEM AFFECTED:

  • PHP 5.4.x prior to 5.4.38
  • PHP 5.5.x prior to 5.5.22
  • PHP 5.6.x prior to 5.6.6

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: N/A

TECHNICAL SUMMARY:

A use-after-free vulnerability has been discovered that could result in remote code execution. This vulnerability is due to a use-after-free error in the 'DateTime/DateTimeZone/DateInterval/DatePeriod' object of the '_wakeup()' magic method. This occurs because of improper handling of duplicate keys within the serialized properties of an object. An attacker may exploit this issue using a specially crafted input passed to the 'unserialize()' method.

The PHP '_wakeup()’ Function Use After Free Remote Code Execution Vulnerability exists in PHP versions 5.6 - 5.6.6, 5.5 - 5.5.22, and 5.4 - 5.4.38.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of a webserver. Failed attempts will likely result in denial-of-service conditions.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Verify no unauthorized modifications occurred to the system before installing patches.
  • Apply appropriate fixes or patches provided by the PHP Group to vulnerable systems immediately after appropriate testing.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to only those required.

REFERENCES:

PHP:

https://bugs.php.net/bug.php?id=68942

GitHub:

https://github.com/80vul/phpcodz/blob/master/research/pch-020.md

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273

SecurityFocus:

http://www.securityfocus.com/bid/72701