The critical vulnerabilities reside in the unserialized mechanism in PHP 7 – the same mechanism that was found to be vulnerable in PHP 5 as well, allowing hackers to compromise Drupal, Joomla, Magento, vBulletin and PornHub websites and other web servers in the past years by sending maliciously crafted data in client cookies.
Security researchers at Check Point’s exploit research team spent several months examining the unserialized mechanism in PHP 7 and discovered “three fresh and previously unknown vulnerabilities” in the mechanism.
Tracked as CVE-2016-7479, CVE-2016-7480, and CVE-2016-7478, the zero-day flaws can be exploited in a similar manner as a separate vulnerability (CVE-2015-6832) detailed in Check Point’s August report.
- CVE-2016-7479—Use-After-Free Code Execution
- CVE-2016-7480—Use of Uninitialized Value Code Execution
- CVE-2016-7478—Remote Denial of Service
The first two vulnerabilities, if exploited, would allow a hacker to take full control over the target server, enabling the attacker to do anything from spreading malware to steal customer data or to defacing it.
According to Yannay Livneh of Check Point’s exploit research team, none of the above vulnerabilities were found exploited in the wild by hackers.
The check Point researchers reported all the three zero-day vulnerabilities to the PHP security team on September 15 and August 6.
Patches for two of the three flaws were issued by the PHP security team on 13th October and 1st December, but one of them remains unpatched.
Besides patches, Check Point also released IPS signatures for the three vulnerabilities on the 18th and 31st of October to protect users against any attack that exploits these vulnerabilities.
In order to ensure the webserver’s security, users are strongly recommended to upgrade their servers to the latest version of PHP.