Security Experts:

Hackers Actively Exploiting Old PHP Vulnerability in Server Attacks: Imperva

Zero-day vulnerabilities tend to grab headlines, but administrators need to be paying attention to known, and already patched, vulnerabilities, according to a new Imperva threat advisory. Even if administrators ignore the older bugs, it's a sure bet that online criminals are not.

The fact that administrators don't always update servers with the latest patches in a timely manner is fairly well-known. What makes this sad state of affairs even worse is that administrators apparently don't patch vulnerable Web servers even when an exploit is publicly available and is being used in attacks, Barry Shteiman, director of security strategy at Imperva, told SecurityWeek.

Imperva issued a threat advisory on Wednesday for a code injection vulnerability in PHP (CVE-2012-1823).

“Zero-day vulnerabilities become zero-effort,” Shteiman said, noting that attackers can use publicly available exploits to craft new attacks.

While this particular PHP flaw was discovered in March 2012 and patched in May, a public exploit began making the rounds in October 2013, Imperva said in its advisory. The fact that the exploit became publicly available more than a year later suggests criminals were still enjoying some degree of success targeting this vulnerability, Shteiman said.

Cyber-criminals understand the gap between the time a vulnerability is discovered in the wild to the time it gets reported and the vendor releases a patch. There is another gap between when the patch is available and when administrators and organizations become aware that both the problem and a fix are available. Cyber-criminals are aware that servers running PHP are frequently not updated even when newer versions are available.

“This creates a window of opportunity for hackers to act on, as they know that the window will be open for a long time,” Imperva said.

The PHP vulnerability is the star of this research, but the fact that administrators are leaving themselves vulnerable to serious attacks by not regularly updating software is not unique to any particular bug. It takes months for most websites to get patched, and attackers are clearly taking advantage of the delay to create exploits to target these vulnerabilities. There is no need to scramble around for zero-days when the older flaws are just as useful, even when the patches are available, Shteiman said.

Imperva's honeypots detected more than 30,000 campaigns using some form of the exploit within three weeks of its publication.

“Hacking is no longer about showing off, but more about financial gain with the least amount of effort,” Shteiman said.

The details of the vulnerability, such as how it can be exploited and what happens when triggered, wasn't really the point of the team's research, Shteiman said. The team selected this particular PHP flaw for the analysis because it was disclosed and fixed quite some time ago, and also because PHP is considered to be a mature technology and is widely used. In fact, nearly 82 percent of all Websites today are written in PHP, according to Imperva. The bug exists in PHP versions older than 5.4.2 or 5.3.12, and version 5.3 runs on almost 42 percent of all the sites.

In this case, attackers scan for servers with vulnerable versions of PHP and use maliciously crafted code to infect them with malware. Transformed into zombies, these servers receive commands from a remote command-and-control server. Imperva verified several botnets have incorporated the exploit code and to this day are still scanning and infecting servers. Imperva recommended administrators check the PHP version on their servers and update it immediately if it is a vulnerable version.

More importantly, administrators have to close the gap between when updates are available and when they are deployed to stop the attacks, Shteiman said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.