PHP Denial of Service Vulnerability

Advisory No: TZCERT/SA/2018/12/05

Date of First Release: 6^th December, 2018

Source: PHP, CISCO

Software Affected: PHP versions 5.x through 7.1.24

Overview:
Potential vulnerability has been discovered in Hypertext Pre-processor (PHP) which can allow a remote attacker to cause denial of service condition on the affected system.

Description:

It has been revealed that “ext/standard/var.c” and “ext/standard/var_unserializer.c” files in PHP software are susceptible to Denial of Service (DoS) condition due to a NULL pointer dereference.

A  remote unauthorized user can exploit this vulnerability when either unserialize call is made to “ext/standard/var_unserializer.c” file for the “com”, “dotnet” and its variant class or a specially crafted request sent malicious input to the affected PHP software.

Impact:

Successful exploitation of the vulnerabilities can allow an attacker to trigger pointer dereference condition that cause users of software crash resulted into a DoS condition on affected PHP software.

Solution:

Users and System administrators are advised to update the affected PHP to the latest version as well as the implement the following security measures;

1. Run firewall and antivirus applications to minimize the potential of inbound and outbound threats.
2. Implement IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
3. Implement a strong firewall policy and monitor the affected systems.

References:

1. https://tools.cisco.com/security/center/viewAlert.x?alertId=59180
2. https://tools.cisco.com/security/center/viewAlert.x?alertId=59181
3. https://www.securityfocus.com/bid/105989