PHP Flaw Threatens Embedded Linux Devices

A security vulnerability first identified and patched two-and-a-half years ago remains a threat today.


An old flaw is being actively exploited and is now threatening the new Internet of things (IoT) world. Security researchers at Symantec reported on a Linux worm on Nov. 27, and this week security researchers at Cisco have found their own evidence on the flaw that is now placing the IoT at risk.

The flaw that is being exploited is a PHP-based flaw identified as CVE-2012-1823, Cisco Security Threat Research Analysis & Communications (TRAC) technical leader Craig Williams, explained to eWEEK.

PHP is a popular open-source programming language that is widely deployed on all types of server infrastructure, including Windows as well as Linux machines.

The flaw is a code-injection risk that was first identified and patched in May 2012 and affects PHP versions 5.4.1 and prior. Currently, the most up-to-date version of PHP 5.4 is the 5.4.22 release. PHP 5.4.2 which provides a fix for CVE-2012-1823, was released May 3, 2012.

Cisco has been able to track infection rates for the PHP-driven malware across its own customers as well from its new Sourcefire customers. Cisco completed its $2.7 billion acquisition of network security vendor Sourcefire in October. The combined Cisco/Sourcefire data shows a high-point for attacks for the flaw coming on Nov. 30.

Attackers will continue to exploit this vulnerability as long as there are systems that are susceptible to attack, Williams said.

"One contributing factor is the ease with which this flaw can be exploited," Williams explained. "Vulnerable versions of this software are fairly widespread, so this could continue to be problematic for quite some time."

The PHP vulnerability is being leveraged by attackers to deploy the Linux.Trojan.Zollard malware that is designed to infect Linux-based devices. While PHP runs on multiple types of servers, the current round of attacks are aimed at servers that are being run on embedded devices, which typically run Linux.

Embedded devices are what make up the Internet of things, Williams said. "The PHP issue allows an attacker to run commands forcing the server to download and run the Zollard malware," Williams said.

Linux systems are typically configured with specific access-control restrictions for different programs and users. With the Zollard malware, if a device is infected, it would run with the same access rights as the Web server (httpd).

Organizations can protect themselves from the PHP-driven flaw in a number of ways. The first and most obvious recommendation is to simply patch PHP—although, according to Williams, patching PHP isn't always a simple proposition.

"The problem is that many embedded devices are not maintained properly or cannot be updated due to some dependency," Williams said. "If these devices are exposed to the Internet or even an intranet, they need to be protected by a security device like an intrusion-prevention system (IPS)."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.