Unpatched Vulnerability Affecting PHP 7 Servers

Share this…

PHP 7 is affected by an unpatched vulnerability that opens servers running the latest branch of the PHP programming language to attacks.

The vulnerability, yet unpatched is part of a trifecta of bugs disclosed during a presentation by Yannay Livneh, Check Point researcher, at this year’s 33rd Chaos Communication Congress.

Vulnerabilities affect PHP 7’s unserialize mechanism

All three bugs affect PHP’s unserialize mechanism, the process of converting a stream of bytes back into a PHP object.

The CVE identification markers of the three bugs are CVE-2016-7478, CVE-2016-7479, and CVE-2016-7480.

According to a technical report released by Livneh, the first bug is a Denial of Service (DoS) issue, but which can be exploited remotely and used to cause a PHP server to consume too much memory, hang the website, and even shut down the server process.

The other two bugs are remote code execution (RCE) vulnerabilities that allow an attacker to execute malicious code on the server, which in some scenarios might enable the intruder to take over the entire server.

One bug remains unpatched

Livneh says he informed the PHP team of the issues in August and September this year. The PHP team pushed a bugfix on October 13, with the release of PHP 7.0.12, and on December 1, with the release of PHP 7.1.0.

The PHP team fixed only two of the three issues at the time of writing, with one bug remaining unpatched. Bleeping Computer has reached out to Stanislav Malyshev, a member of the PHP team, to inquire about the status of the last bug. According to Malyshev, the PHP team doesn’t “usually have specific release dates for individual bugs.”

“The releases of PHP are done every 4 weeks, with the next one planned on January 5th,” Malyshev said. “Once the fix for the particular bug is ready, it is released in the next scheduled release.”

Livneh says the three bugs can be exploited using a technique he previously detailed in August. The researcher has not specified which of the three bugs remained unpatched.

Bleeping Computer has reached out to Livneh to inquire if there is evidence that any of the three bugs has been exploited in the wild.

The unending saga of serialize/unserialize issues

The serialize/unserialize mechanism (transforming data objects into memory bytes and vice-versa) has been a major cause of problems in earlier PHP versions, and it appears that it will be the same for PHP 7.

A bug in the PHP serialize mechanism has previously allowed researchers to hack into PornHub.

Similarly, issues with the unserialize operations also affect Java apps, and a major bug has been used to compromise some PayPal services this year.