CVE-2021-3007

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a “vulnerability in the PHP language itself” but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized

Recent assessments:

gwillcox-r7 at January 21, 2021 3:48am UTC reported:

Reported as exploited in the wild by CheckPoint Research as part of the FreakOut attacks, as written up at <https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/&gt;. This operation was designed to create a IRC controlled botnet that could be used for future operations, and for coin mining.

As written in <https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/&gt;, the attackers abused the Zend3 feature (which loads classes from objects) of Zend Framework version 3.0.0 and higher to cause a deserialization issue. In the case of the FreakOut attacks, attackers sent a crafted POST request to /zend3/public with a serialized payload containing a callback parameter, and injected commands to be executed into the serialized callbackOptions parameter in place of the normal array.

There is also a nice analysis of this vulnerability at <https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend framework3 反序列化 rce.md&gt; should you wish to dive further into the gory details of the bug. This is written in Chinese though so you might need to translate it first.

As there is a lot of information on this vulnerability out at the moment, I am rating this as a high probability of exploitability not cause its a complex bug, but purely because given Checkpoint Research’s writeable, all an attacker has to do is write a sample request from the screenshot provided, and they will be able to replicate the bug and craft a working exploit. Otherwise this would normally have a lower exploitability rating as deserialization bugs are not always that simple to exploit.

Additionally, the bigger concern here is that there is no patch for this vulnerability for the Zend Framework to the best of my knowledge, since it is no longer supported by its developers. Users who are affected by this vulnerability are therefore encouraged to migrate to a different framework as soon as possible and severely limit interaction with any servers running Zend Framework in the meantime.

wvu-r7 at January 28, 2021 11:58pm UTC reported:

Reported as exploited in the wild by CheckPoint Research as part of the FreakOut attacks, as written up at <https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/&gt;. This operation was designed to create a IRC controlled botnet that could be used for future operations, and for coin mining.

As written in <https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/&gt;, the attackers abused the Zend3 feature (which loads classes from objects) of Zend Framework version 3.0.0 and higher to cause a deserialization issue. In the case of the FreakOut attacks, attackers sent a crafted POST request to /zend3/public with a serialized payload containing a callback parameter, and injected commands to be executed into the serialized callbackOptions parameter in place of the normal array.

There is also a nice analysis of this vulnerability at <https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend framework3 反序列化 rce.md&gt; should you wish to dive further into the gory details of the bug. This is written in Chinese though so you might need to translate it first.

As there is a lot of information on this vulnerability out at the moment, I am rating this as a high probability of exploitability not cause its a complex bug, but purely because given Checkpoint Research’s writeable, all an attacker has to do is write a sample request from the screenshot provided, and they will be able to replicate the bug and craft a working exploit. Otherwise this would normally have a lower exploitability rating as deserialization bugs are not always that simple to exploit.

Additionally, the bigger concern here is that there is no patch for this vulnerability for the Zend Framework to the best of my knowledge, since it is no longer supported by its developers. Users who are affected by this vulnerability are therefore encouraged to migrate to a different framework as soon as possible and severely limit interaction with any servers running Zend Framework in the meantime.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5