HIDS 30302

From Atomicorp Wiki
Jump to: navigation, search
Rule 30302
Status Active
Alert Message Self Healing: Critical vulnerability in PHP detected, attempting to remove dangerous exec stack bits from PHP modules.


[edit] Description

This event is not caused by the rules, ASL or modsecurity. This rule detects when PHP has been incorrectly configured to include a dangerous vulnerability that exposes the system to full compromise. PHP is not distributed with this vulnerability, and is only introduced by vendors that specifically configure PHP in this vulnerable manner. Please contact your PHP vendor to report this vulnerability.

When this vulnerability is detected, ASL will attempt to remove this vulnerability from PHP. However, because the vulnerability is introduced through whatever vendor built and/or installed PHP on the system, and is not caused by ASL, it may not always be possible able to remove this dangerous vulnerability.

In most cases, ASL will self heal this vulnerability in PHP. If PHP is working correctly, you can ignore this message, this simply means ASL is working correctly and is automatically protecting and self healing your system.

This rule does not cause this to occur, therefore disabling this rule will not prevent this. Disabling this rule will both prevent ASL from attempting to fix this vulnerability, and will still leave PHP in a vulnerable and potentially broken state.

[edit] Log examples

host kernel: grsec: From Segmentation fault occurred at b9119351 in /usr/bin/php[php:4818] uid/euid:32027/32027 gid/egid:32029/32029, parent /usr/local/apache/bin/httpd[httpd:4772] uid/euid:99/99 gid/egid:99/9

[edit] Troubleshooting

[edit] False Positives

None. This event is not generated or caused by ASL in any way. This is a reporting rule, it simply reports when PHP is detected in this vulnerable condition, and attempts to fix it. It does not cause the segmentation fault. The rule detects when the segmentation fault occurs.

[edit] Guidance

Please contact your PHP vendor for assistance with removing this vulnerability should ASL not be able to remove it. Please see the php segfaults FAQ for additional information for assistance with correcting this vulnerability.

[edit] Additional Information

[edit] Similar Rules


[edit] Knowledge Base Articles


[edit] Outside References


[edit] Notes

If PHP has this vulnerability, it will segfault when it tries to run, as the ASL kernel will protect itself from this vulnerability in PHP and PHP will die out because it can not punch this hole into the system. The specific vulnerability is that PHP, or one of its modules, will try to configure itself to allow the kernel "stack" to be executable. This is both unnecessary for PHP or its modules to function, and creates a root level hole in the system making it possible for an attacker to inject code right into the kernel "stack", running whatever code they want on the system and thereby compromising the entire system.

Personal tools