Security researchers recently identified two critical code vulnerabilities in a central component of the PHP supply chain. Called PEAR, or PHP Extension and Application Repository, the component is both a framework and a distribution system for reusable PHP components. The two PEAR vulnerabilities could have been easily identified and exploited by threat actors, the researchers said, with nearly no technical expertise or knowledge needed.
PEAR PHP Repository Vulnerabilities: What Is Known?
More specifically, the issues date back to at least 15 years, and are located in the PEAR PHP repository. As a result of a successful exploit, attackers could carry out a supply chain attack resulting in unauthorized access and arbitrary code execution.
In terms of impact and consequences, Sonar researchers compare the PEAR vulnerabilities to the SolarWinds attacks. “The impact of such attacks on developer tools such as PEAR is even more significant as they are likely to run it on their computers before deploying it on production servers, creating an opportunity for attackers to pivot into companies’ internal network,” Sonar researchers said.
The first vulnerability stems from a code commit made in March 2007 and is associated with the use of the cryptographically insecure mt_rand() PHP function in the password reset functionality. The issue could enable a threat actor to “discover a valid password reset token in less than 50 tries,” as per the report. Attack scenarios include targeting existing developer and administrator accounts and hijacking them to publish rogue versions of developer-maintained packages, creating the conditions for a supply chain attack.
The second vulnerability is CVE-2020-36193 and could help threat actors to gain persistence. The CVE-2020-36193 issue needs to be chained with the previous vulnerability for a successful exploit to take place. The flaw stems from the so-called pearweb’s reliance on an older version of Archive_Tar, and could lead to arbitrary code execution.
“After finding a way to access the features reserved to approved developers, threat actors are likely to look to gain remote code execution on the server. Such discovery would grant them considerably more operational capabilities: even if the previously mentioned bug ends up being fixed, a backdoor would allow keeping persistent access to the server and to continue to alter packages releases. It could also help them to hide their tracks by modifying access logs,” Sonar’s report added.
The good news is that the maintainers released a first patch on August 4th, in which they introduced a safe method to generate pseudo-random bytes in the password reset functionality. You can read more about it in the original report.
In 2021, the official PHP Git server was compromised in a software supply chain attack. The attackers pushed unauthorized updates to implant a backdoor in the server’s source code.