Yii2 Deserialization Remote Command Execution Vulnerability (CVE-2020-15148) Protection Solution

Yii2 Deserialization Remote Command Execution Vulnerability (CVE-2020-15148) Protection Solution

October 21, 2020 | Mina Hao

Overview

Recently, NSFOCUS detected that Yii Framework 2 disclosed a deserialization remote command execution vulnerability (CVE-2020-15148) in its update log published on September 14, 2020.

By adding the _wakeup() function to Class yii\db\BatchQueryResult, Yii Framework 2 disables yii\db\BatchQueryResult deserialization and prevents remote command execution caused by application calling ‘unserialize()’ on arbitrary user input.

Yii2 is a high-performance, open-source, component-based PHP framework for rapidly developing modern Web applications.

At present, Yii Framework 2 has released a new version to fix the vulnerability. NSFOCUS detection and protection products are capable of scanning and detecting the vulnerability. Affected users are advised to take preventive measures as soon as possible.

Reference links:

https://github.com/yiisoft/yii2/blob/928b511d75ee719cd4007f220eafce9eab4d1b4a/framework/CHANGELOG.md
https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj

Affected Versions

  • Yii2 Version < 2.0.38             

Technical Solutions

  • Official Fix

The vendor has released the new version 2.0.38 to fix the vulnerability.

The update is available at the following link:

https://github.com/yiisoft/yii2/releases/tag/2.0.38
  • NSFOCUS’s Recommendations

Using NSFOCUS’s Detection Products or Services

For internal assets, use NSFOCUS Remote Security Assessment System (RSAS V6), Web Vulnerability Scanning System (WVSS), Intrusion Detection System (NIDS), and Unified Threat Sensor (UTS) to detect the vulnerability:

  • Remote Security Assessment System (RSAS V6)
http://update.nsfocus.com/update/listRsas
  • Web Vulnerability Scanning System (WVSS)
http://update.nsfocus.com/update/listWvss
  • NSFOCUS Intrusion Detection System (NIDS)
http://update.nsfocus.com/update/listIds
http://update.nsfocus.com/update/bsaUtsIndex
  • Upgrade Package/Rule Base Versions of Detection Products
Detection ProductUpgrade Package/Rule Base Version
RSAS V6’s web plug-in packageV6.0R02F00.1816
WVSSV6.0R03F00.182
IDS5.6.9.23576, 5.6.10.23576
UTS5.6.10.23576
  • Using NSFOCUS’s Protection Products to Detect the Vulnerability

Use NSFOCUS protection products, such as NSFOCUS Intrusion Protection System (NIPS), Next-Generation Firewall (NF), and Web Application Firewall (WAF), to defend against the vulnerability.

  • NSFOCUS Intrusion Protection System (NIPS)
http://update.nsfocus.com/update/listIps
  • Next-Generation Firewall (NF)
http://update.nsfocus.com/update/listNf
  • Web Application Firewall (WAF)
http://update.nsfocus.com/update/wafIndex
  • Upgrade Package/Rule Base Versions of Protection Products
Protection ProductUpgrade Package/Rule Base VersionRule ID
IPS5.6.9.23576, 5.6.10.2357625037
NF6.0.1.828, 6.0.2.82825037
WAF6.0.7.0.46432, 6.0.7.1.4643227005015

Appendix: Product/Platform Use Guides

  • Scanning Configuration on RSAS

On RSAS, under Services > System Upgrade, click Choose File in the Manual Upgrade area and find the update file just downloaded.

Click Upgrade. Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.

  • Scanning Configuration on WVSS

On WVSS, under Services > System Upgrade, in the Manual Upgrade area, click Browse to find the update file just downloaded.

Click Upgrade. Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.

  • Detection Configuration on UTS

On UTS, under System > System Upgrade > Offline Upgrade, browse to the update file just downloaded and click Upload.

  • Protection Configuration on NIPS

On NIPS, under System > System Update > Offline Update, browse to the update file just downloaded and click Upload.

After the update is installed, find the rule by ID in the default rule base and view rule details.

  • Protection Configuration on NF

On the web-based manager of NSFOCUS NF, under System > System Upgrade > Offline Upgrade, browse to the update file and click Upload.

Wait for the installation to complete.

  • Protection Configuration on WAF

On WAF, choose System Management > System Tools > Rule Upgrade.

Wait for the installation to complete.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.