Think you have a false positive on this rule?

Sid 1-46469

Message

SERVER-WEBAPP PHP unserialize integer overflow attempt

Summary

This event is generated when an attacker attempts to overflow an integer using an unserialize function in PHP.

Impact

Attempted Administrator Privilege Gain

CVE-2017-5340:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

The rule looks for a payload containing an exploit to trigger the overflow and gain admin control over the victim system. CVE-2017-5340: Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.

Affected systems

  • php php 7.0.0
  • php php 7.0.1
  • php php 7.0.2
  • php php 7.0.3
  • php php 7.0.4
  • php php 7.0.5
  • php php 7.0.6
  • php php 7.0.7
  • php php 7.0.8
  • php php 7.0.9
  • php php 7.0.10
  • php php 7.0.11
  • php php 7.0.12
  • php php 7.0.13
  • php php 7.0.14

Ease of attack

CVE-2017-5340:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References