PHP 7 Unserialize Mechanism 0-days
Recently researchers at "Check Point" have uncovered 3 new previously unknown vulnerabilities in the new version of PHP. CVE-2016-7479 and CVE-2016-7480 could result in attackers taking a full control of the target server, while CVE-2016-7478 causes a Denial of Service condition resulting in server hang. Those vulnerabilities are related to triggering unwanted behaviour when PHP un-serializes objects. Such malicious objects might be sent to any PHP application as HTTP parameter, cookie or header values. Mitigation with Big-IP ASM BigIP-ASM customers are already protected against the new 0-days, while the attack will be detected and blocked by existing "Server Side Code Injection" signatures, specifically: "PHP object serialization injection attempt (Parameter)" (200004188) "PHP object serialization injection attempt (Header)" (200004189) "PHP object serialization injection attempt (URI)" (200004190) Following are examples of the blocked attack vectors related to those CVEs and the invoked attack signatures: Figure 1: Denial of Service attack vector (CVE-2016-7478) blocked with Attack Signature (200004188) Figure 2: CVE-2016-7479 proof of concept exploit Figure 3:CVE-2016-7479 POC exploit is being blocked with Attack Signature (200004188) Figure 4:CVE-2016-7479 "DateInterval" attack vector blocked with Attack Signature (200004188)
