Advisory No: TZCERT/SA/2018/12/05
Date of First Release: 6th December, 2018
Source: PHP, CISCO
Software Affected: PHP versions 5.x through 7.1.24
Overview:
Potential vulnerability has been discovered in Hypertext Pre-processor (PHP) which can allow a remote attacker to cause denial of service condition on the affected system.
Description:
It has been revealed that “ext/standard/var.c” and “ext/standard/var_unserializer.c” files in PHP software are susceptible to Denial of Service (DoS) condition due to a NULL pointer dereference.
A remote unauthorized user can exploit this vulnerability when either unserialize call is made to “ext/standard/var_unserializer.c” file for the “com”, “dotnet” and its variant class or a specially crafted request sent malicious input to the affected PHP software.
Impact:
Successful exploitation of the vulnerabilities can allow an attacker to trigger pointer dereference condition that cause users of software crash resulted into a DoS condition on affected PHP software.
Solution:
Users and System administrators are advised to update the affected PHP to the latest version as well as the implement the following security measures;
- Run firewall and antivirus applications to minimize the potential of inbound and outbound threats.
- Implement IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
- Implement a strong firewall policy and monitor the affected systems.
References: