Source: cve@mitre.org
The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie.
GONICUS GOsa 2.7.5.2 is vulnerable to a critical PHP object injection flaw, allowing a remote, authenticated attacker to achieve arbitrary file deletion on the server. This vulnerability stems from the insecure use of unserialize() on user-controlled input within the GOsa_Filter_Settings cookie, enabling attackers to inject malicious PHP objects and execute code with the web server's privileges, leading to potential system compromise.
Step 1: Authentication: The attacker must first authenticate to the GOsa web interface, gaining a valid session.
Step 2: Cookie Crafting: The attacker crafts a malicious GOsa_Filter_Settings cookie. This cookie contains a serialized PHP object designed to exploit the unserialize() vulnerability.
Step 3: Payload Delivery: The attacker sends a request to the GOsa server, including the crafted GOsa_Filter_Settings cookie.
Step 4: Deserialization: The GOsa application receives the request and calls unserialize() on the cookie's value to restore the filter settings.
Step 5: Object Instantiation and Code Execution: The unserialize() function processes the malicious object, which triggers the execution of its methods. This leads to the execution of attacker-controlled code, such as a file deletion command.
Step 6: File Deletion: The attacker's code, executed with the web server's privileges, deletes a specified file on the server.
The vulnerability lies in the GOsa_Filter_Settings cookie within GONICUS GOsa 2.7.5.2. The application uses unserialize() to process the cookie's value, which is intended to store user filter settings. However, the application fails to properly sanitize the input before passing it to unserialize(). This allows an attacker to craft a malicious cookie value containing a specially constructed PHP object. When unserialize() processes this object, it can trigger the execution of arbitrary code, including file deletion. The root cause is the insecure deserialization of user-supplied data without proper input validation. The unserialize() function is inherently dangerous when used with untrusted input, as it can instantiate arbitrary classes and execute their methods, leading to code execution.
While no specific APT groups are definitively linked to exploiting this vulnerability, the ease of exploitation and the potential for complete system compromise make it attractive to various threat actors. This vulnerability could be leveraged by attackers for initial access or as part of a larger attack chain. Not listed on CISA KEV.
Monitor web server logs for suspicious HTTP requests containing unusually long or malformed GOsa_Filter_Settings cookie values.
Analyze web server access logs for file deletion events, especially those originating from the web server process itself.
Implement intrusion detection system (IDS) rules to identify malicious cookie values based on known exploit patterns or signatures.
Monitor file system activity for unexpected file deletions, particularly within the web server's document root or other sensitive directories.
Examine network traffic for unusual patterns associated with cookie manipulation or PHP object injection attempts.
Upgrade to a patched version of GONICUS GOsa that addresses the vulnerability. Consult the vendor's security advisories for specific patch details.
Implement input validation and sanitization for all user-supplied data, including cookie values. Specifically, validate the format and content of the GOsa_Filter_Settings cookie before passing it to unserialize().
Avoid using unserialize() with untrusted input whenever possible. If unserialize() is necessary, implement strict whitelisting of allowed classes to prevent the instantiation of arbitrary objects.
Review and harden the web server configuration to minimize the impact of a successful exploit. This includes restricting file system access for the web server user and disabling unnecessary PHP functions.
Regularly scan the system for vulnerabilities and apply security patches promptly.
Implement a web application firewall (WAF) to detect and block malicious requests targeting the vulnerability.