tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesVulnerability in PHP Could Allow Remote Code Execution

Vulnerability in PHP Could Allow Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2015-017

DATE(S) ISSUED:

02/22/2015

OVERVIEW:

A vulnerability has been discovered in PHP which could allow an attacker to remotely disclose source code and potentially execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of a webserver. Failed attempts will likely result in denial-of-service conditions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild. There are known exploits for these vulnerabilities.

SYSTEMS AFFECTED:

  • PHP 5.4.x prior to 5.4.38
  • PHP 5.5.x prior to 5.5.22
  • PHP 5.6.x prior to 5.6.6

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
N/A

TECHNICAL SUMMARY:

A use-after-free vulnerability has been discovered that could result in remote code execution. This vulnerability is due to a use-after-free error in the 'DateTime/DateTimeZone/DateInterval/DatePeriod' object of the '_wakeup()' magic method. This occurs because of improper handling of duplicate keys within the serialized properties of an object. An attacker may exploit this issue using a specially crafted input passed to the 'unserialize()' method.

The PHP '_wakeup()’ Function Use After Free Remote Code Execution Vulnerability exists in PHP versions 5.6 - 5.6.6, 5.5 - 5.5.22, and 5.4 - 5.4.38.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of a webserver. Failed attempts will likely result in denial-of-service conditions.

RECOMENDATIONS:

We recommend the following actions be taken:

Verify no unauthorized modifications occurred to the system before installing patches.
Apply appropriate fixes or patches provided by the PHP Group to vulnerable systems immediately after appropriate testing.
Apply the principle of Least Privilege to all systems and services.
Remind users not to visit websites or follow links provided by unknown or untrusted sources.
Do not open email attachments from unknown or untrusted sources.
Limit user account privileges to only those required.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories