HIDS 30302
Rule 30302 | |
---|---|
Status | Active |
Alert Message | Self Healing: Critical vulnerability in PHP detected, attempting to remove dangerous exec stack bits from PHP modules. |
Contents |
Description
This event is not caused by the rules, ASL or modsecurity. This rule detects when PHP has been incorrectly configured to include a dangerous vulnerability that exposes the system to full compromise. PHP is not distributed with this vulnerability, and is only introduced by vendors that specifically configure PHP in this vulnerable manner. Please contact your PHP vendor to report this vulnerability.
When this vulnerability is detected, ASL will attempt to remove this vulnerability from PHP. However, because the vulnerability is introduced through whatever vendor built and/or installed PHP on the system, and is not caused by ASL, it may not always be possible able to remove this dangerous vulnerability.
In most cases, ASL will self heal this vulnerability in PHP. If PHP is working correctly, you can ignore this message, this simply means ASL is working correctly and is automatically protecting and self healing your system.
This rule does not cause this to occur, therefore disabling this rule will not prevent this. Disabling this rule will both prevent ASL from attempting to fix this vulnerability, and will still leave PHP in a vulnerable and potentially broken state.
Log examples
host kernel: grsec: From 1.2.3.4: Segmentation fault occurred at b9119351 in /usr/bin/php[php:4818] uid/euid:32027/32027 gid/egid:32029/32029, parent /usr/local/apache/bin/httpd[httpd:4772] uid/euid:99/99 gid/egid:99/9
Troubleshooting
False Positives
None. This event is not generated or caused by ASL in any way. This is a reporting rule, it simply reports when PHP is detected in this vulnerable condition, and attempts to fix it. It does not cause the segmentation fault. The rule detects when the segmentation fault occurs.
Guidance
Please contact your PHP vendor for assistance with removing this vulnerability should ASL not be able to remove it. Please see the php segfaults FAQ for additional information for assistance with correcting this vulnerability.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
Notes
If PHP has this vulnerability, it will segfault when it tries to run, as the ASL kernel will protect itself from this vulnerability in PHP and PHP will die out because it can not punch this hole into the system. The specific vulnerability is that PHP, or one of its modules, will try to configure itself to allow the kernel "stack" to be executable. This is both unnecessary for PHP or its modules to function, and creates a root level hole in the system making it possible for an attacker to inject code right into the kernel "stack", running whatever code they want on the system and thereby compromising the entire system.