CVE-2022-41922: Remote Code Execution (RCE) Vulnerability in `yiisoft/yii` Before Version 1.1.27

A critical vulnerability has been discovered in yiisoft/yii framework versions prior to 1.1.27. The vulnerability is marked as CVE-2022-41922 and allows Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. The issue has been patched in version 1.1.27. In this post, we'll provide a detailed analysis of the vulnerability, a code snippet showcasing the problematic behavior, and references to original disclosure and patch details.

What is yiisoft/yii?

yiisoft/yii is a popular open-source web application framework written in PHP. It provides various features like MVC design pattern, caching mechanisms, and application scaffolding, among others. You can read more about the Yii framework on their official website (https://www.yiiframework.com/).

Vulnerability Overview

The core of the vulnerability lies in the usage of the unserialize() function on user-supplied input. This function takes a serialized string and converts it back into its original PHP value. However, if an attacker can create a carefully crafted serialized string, they can potentially inject and execute malicious code on the target server.

Affected Versions

yiisoft/yii versions before 1.1.27 are affected by this vulnerability.

Code Snippet

Here is a basic example demonstrating the unsafe usage of unserialize().

<?php
// Unsafe usage of unserialize function with user input
$user_input = $_GET['data'];
$unserialized_data = unserialize($user_input);

// Application code using unserialized data
// ...
?>

An attacker could create a serialized object with a payload that triggers an RCE. Note that this is just an example and that the actual method of exploitation would depend on the specific application implementation.

Mitigation

To mitigate this vulnerability, it is essential to upgrade the yiisoft/yii framework to version 1.1.27 or higher. The patch involves replacing the unsafe unserialize() function with safer alternatives like JSON encoding/decoding or ensuring user input is sanitized properly before unserialization.

Exploit Details

There are no publicly available exploits for this vulnerability at the time of writing this post. However, it's essential to take the necessary steps to patch your application to prevent potential risks.

Original disclosure of the vulnerability by Yii Framework security team

https://github.com/yiisoft/yii/security/advisories/GHSA-h6cf-vjxh-55fq

Patch details in Yii Framework v1.1.27 release notes

https://www.yiiframework.com/files/CHANGELOG-1.1.txt

Conclusion

CVE-2022-41922 is a serious vulnerability affecting yiisoft/yii versions before 1.1.27, allowing Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. It is imperative for developers and administrators using the Yii framework to update to version 1.1.27 or later, which contains the patch for this vulnerability. Keeping your software up-to-date is a fundamental security practice, and it ensures the integrity and safety of your application.

Timeline

Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/30/2022 13:44:00 UTC