CVE-2023-3824

Name of the Vulnerable Software and Affected Versions PHP versions 8.0.* before 8.0.30 PHP versions 8.1.* before 8.1.22 PHP versions 8.2.* before 8.2.8

Description The issue is caused by insufficient length checking when loading phar files, leading to a stack buffer overflow, which can result in memory corruption or remote code execution (RCE). This vulnerability was reportedly exploited by law enforcement agencies in Operation Cronos to compromise the LockBit ransomware group's infrastructure. The group claims that the vulnerability, specifically in PHP version 8.1.2, was used to gain access to their servers. It is estimated that over 2000 individuals and organizations have been affected by LockBit, with the group demanding over $91 million in ransom from American organizations alone. The vulnerability allows for RCE, which can enable attackers to execute arbitrary code on the affected system.

Recommendations For PHP versions 8.0.* before 8.0.30, update to version 8.0.30 or later. For PHP versions 8.1.* before 8.1.22, update to version 8.1.22 or later. For PHP versions 8.2.* before 8.2.8, update to version 8.2.8 or later. As a temporary workaround, consider disabling the phar functionality until a patch is available. Restrict access to phar files to minimize the risk of exploitation.