Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Hackers Actively Exploiting Old PHP Vulnerability in Server Attacks: Imperva

Zero-day vulnerabilities tend to grab headlines, but administrators need to be paying attention to known, and already patched, vulnerabilities, according to a new Imperva threat advisory. Even if administrators ignore the older bugs, it’s a sure bet that online criminals are not.

Zero-day vulnerabilities tend to grab headlines, but administrators need to be paying attention to known, and already patched, vulnerabilities, according to a new Imperva threat advisory. Even if administrators ignore the older bugs, it’s a sure bet that online criminals are not.

The fact that administrators don’t always update servers with the latest patches in a timely manner is fairly well-known. What makes this sad state of affairs even worse is that administrators apparently don’t patch vulnerable Web servers even when an exploit is publicly available and is being used in attacks, Barry Shteiman, director of security strategy at Imperva, told SecurityWeek.

Imperva issued a threat advisory on Wednesday for a code injection vulnerability in PHP (CVE-2012-1823).

“Zero-day vulnerabilities become zero-effort,” Shteiman said, noting that attackers can use publicly available exploits to craft new attacks.

While this particular PHP flaw was discovered in March 2012 and patched in May, a public exploit began making the rounds in October 2013, Imperva said in its advisory. The fact that the exploit became publicly available more than a year later suggests criminals were still enjoying some degree of success targeting this vulnerability, Shteiman said.

Cyber-criminals understand the gap between the time a vulnerability is discovered in the wild to the time it gets reported and the vendor releases a patch. There is another gap between when the patch is available and when administrators and organizations become aware that both the problem and a fix are available. Cyber-criminals are aware that servers running PHP are frequently not updated even when newer versions are available.

“This creates a window of opportunity for hackers to act on, as they know that the window will be open for a long time,” Imperva said.

The PHP vulnerability is the star of this research, but the fact that administrators are leaving themselves vulnerable to serious attacks by not regularly updating software is not unique to any particular bug. It takes months for most websites to get patched, and attackers are clearly taking advantage of the delay to create exploits to target these vulnerabilities. There is no need to scramble around for zero-days when the older flaws are just as useful, even when the patches are available, Shteiman said.

Imperva’s honeypots detected more than 30,000 campaigns using some form of the exploit within three weeks of its publication.

“Hacking is no longer about showing off, but more about financial gain with the least amount of effort,” Shteiman said.

The details of the vulnerability, such as how it can be exploited and what happens when triggered, wasn’t really the point of the team’s research, Shteiman said. The team selected this particular PHP flaw for the analysis because it was disclosed and fixed quite some time ago, and also because PHP is considered to be a mature technology and is widely used. In fact, nearly 82 percent of all Websites today are written in PHP, according to Imperva. The bug exists in PHP versions older than 5.4.2 or 5.3.12, and version 5.3 runs on almost 42 percent of all the sites.

In this case, attackers scan for servers with vulnerable versions of PHP and use maliciously crafted code to infect them with malware. Transformed into zombies, these servers receive commands from a remote command-and-control server. Imperva verified several botnets have incorporated the exploit code and to this day are still scanning and infecting servers. Imperva recommended administrators check the PHP version on their servers and update it immediately if it is a vulnerable version.

More importantly, administrators have to close the gap between when updates are available and when they are deployed to stop the attacks, Shteiman said.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.