Do you remember the SolarWinds supply chain compromise, was revealed in December 2020? It seems that a similar issue affects PHP, the server-side programming language powering over 79% of the websites on the Internet.
On March 28th, 2021, two commits to the source code of PHP were more than extraordinary. They contained a backdoor which would execute if HTTP_USER_AGENTT string starts with ‘zerodium’. This change can be misused to achieve remote code execution by attackers. True ‘authors’ of commits tried to disguise them, pretending that commits took place to correct a typo.
Soon after the community members started to wonder what this ’new feature’ is supposed to do, PHP maintainers published the announcement.
Nikita Popov stated that two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and his own. Investigation is ongoing and PHP maintainers are reviewing their repositories for any corruption beyond the two referenced commits. It is not known how it happened, but according to the published announcement, everything points towards a compromise of the git.php.net server, rather than a compromise of an individual git account.
In prompt response to the incident, Nikita Popov announced that they will discontinue using git.php.net, as maintaining their own git infrastructure is an unnecessary security risk. GitHub repositories will become canonical instead. This means that PHP contributors will now need to be part of the PHP organization on GitHub. Enabling MFA is required for any potential member.
Ultimately, malicious commits were identified and reverted.
The change in code could be misused to achieve RCE (Remote Code Execution). Line 370 executes PHP code from within the UserAgent HTTP header, if the string starts with ‘zerodium’. Variable ‘enc’ is set on line 366 and contains whatever was submitted in the HTTP_USER_AGENTT header.
We recommend performing the following activities:
- Threat hunting – if you suspect that there are attackers inside of your infrastructure. Besides this case, it is always good idea to assume that some services might have been compromised in the past and the attackers are still there.
- Secure code reviews – especially if you always use edge version (from current php repository) for development and testing of your products and this is accessible from the internet. In this case, we suggest reviewing your products and threat hunting as well.
- Managed defense – in this case, these malicious commits are only the top of the iceberg. Most probably, the attackers have been in their infrastructure longer. With our premium managed defense, we can catch similar attacks in earlier stages, and with data from monitoring the investigation can be much faster.
- Outsourced CSIRT – having incident response capability on call can significantly speed up the process of incident resolution. If you don’t have in-house computer security incident response team, you can always outsource this to an MSSP like LIFARS, which has its own team called LISIRT.