Advisory No: TZCERT/SA/2018/12/05
Date of First Release: 6th December, 2018
Source: PHP, CISCO
Software Affected: PHP versions 5.x through 7.1.24
Potential vulnerability has been discovered in Hypertext Pre-processor (PHP) which can allow a remote attacker to cause denial of service condition on the affected system.
It has been revealed that “ext/standard/var.c” and “ext/standard/var_unserializer.c” files in PHP software are susceptible to Denial of Service (DoS) condition due to a NULL pointer dereference.
A remote unauthorized user can exploit this vulnerability when either unserialize call is made to “ext/standard/var_unserializer.c” file for the “com”, “dotnet” and its variant class or a specially crafted request sent malicious input to the affected PHP software.
Successful exploitation of the vulnerabilities can allow an attacker to trigger pointer dereference condition that cause users of software crash resulted into a DoS condition on affected PHP software.
Users and System administrators are advised to update the affected PHP to the latest version as well as the implement the following security measures;
- Run firewall and antivirus applications to minimize the potential of inbound and outbound threats.
- Implement IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
- Implement a strong firewall policy and monitor the affected systems.