Vulnerability in PHP Could Allow Remote Code Execution

ITS Advisory Number: 
2015-015
Date(s) Issued: 
Monday, February 23, 2015
Subject: 
Vulnerability in PHP Could Allow Remote Code Execution
Overview: 

A vulnerability has been discovered in PHP which could allow an attacker to remotely disclose source code and potentially execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of a webserver. Failed attempts will likely result in denial-of-service conditions.

Systems Affected: 

* PHP 5.4.x prior to 5.4.38
* PHP 5.5.x prior to 5.5.22
* PHP 5.6.x prior to 5.6.6

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

A use-after-free vulnerability has been discovered that could result in remote code execution. This vulnerability is due to a use-after-free error in the 'DateTime/DateTimeZone/DateInterval/DatePeriod' object of the '_wakeup()' magic method. This occurs because of improper handling of duplicate keys within the serialized properties of an object. An attacker may exploit this issue using a specially crafted input passed to the 'unserialize()' method.

The PHP '_wakeup()' Function Use After Free Remote Code Execution Vulnerability exists in PHP versions 5.6 - 5.6.6, 5.5 - 5.5.22, and 5.4 - 5.4.38.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of a webserver. Failed attempts will likely result in denial-of-service conditions.

Actions: 

We recommend the following actions be taken:

* Verify no unauthorized modifications occurred to the system before installing patches.
* Apply appropriate fixes or patches provided by the PHP Group to vulnerable systems immediately after appropriate testing.
* Apply the principle of Least Privilege to all systems and services.
* Remind users not to visit websites or follow links provided by unknown or untrusted sources.
* Do not open email attachments from unknown or untrusted sources.