After a flawless year, Symfony unveiled this November 6, 2024 on its blog eight vulnerabilities at once. They affect different versions of the Symfony framework. Here's a summary of these critical vulnerabilities, their potential impact, and the solutions implemented by Symfony. It will help you understand the implications of these vulnerabilities for securing your applications.
Contents
Introduction
Even the most renowned frameworks, such as Symfony, are never immune to security flaws. Whatever application solution you choose, you need to be vigilant. Safeguards such as a ModSecurity application firewall and automatic attacker blocking (fail2ban), combined with a good outsourced backup policy, are essential.
On LRob secure web hosting, our Linux servers support your application security with ModSecurity combined with fail2ban actively blocking attempts to exploit vulnerabilities; full outsourced backups are made daily with a one-year retention period. Choose LRob as your hosting provider, is to benefit from a simple, secure hosting solution while adding a rigorous, available and passionate sysadmin to your team!
Symfony security holes (November 2024)
CVE-2024-51736: Hijacking command execution on Windows with the Process class
Versions concerned
Symfony versions =6, =7, <7.1.7.
Description
This flaw enables execution to be diverted on Windows systems when the executable file cmd.exe is in the current working directory. The class Process could then execute this file, paving the way for malicious hijacking.
Resolution
Symfony has corrected this problem by forcing the Process to use the absolute path to cmd.exe.
See the official Symfony article.
CVE-2024-50341 : Security::login method ignores custom user_checker
Versions concerned
Symfony versions >=6.2, =7.0, =7.1, <7.1.3.
Description
The method Security::login Symfony did not take into account the user_checker which could lead to unwanted connections.
Resolution
The patch now implements a call to the user_checker configured.
See the official Symfony article.
CVE-2024-50340 : Change environment via a request
Versions concerned
Symfony versions =6, =7, <7.1.7.
Description
By manipulating a specific query string, users can change the kernel environment or debug mode when a PHP register_argc_argv is activated.
Resolution
The component SymfonyRuntime now ignores argv values for non-CLI environments.
See the official Symfony article.
CVE-2024-50342: Enumeration of internal addresses and ports via NoPrivateNetworkHttpClient
Versions concerned
Symfony versions =6, =7, <7.1.7.
Description
With NoPrivateNetworkHttpClientsome internal information could still be exposed, enabling the enumeration of IP addresses and ports.
Resolution
The customer NoPrivateNetworkHttpClient now applies blocked IP filtering from the start of host resolution.
See the official Symfony article.
CVE-2024-50343 : Incorrect Validator response with input ending in \n
Versions concerned
Symfony versions =6, =7, <7.1.4.
Description
Validation using a regular expression could be bypassed by inserting a \n at the end of the input, resulting in an incorrect response from the Validator.
Resolution
Symfony now uses the regex modifier D to guarantee validation of the entire input.
See the official Symfony article.
CVE-2024-50345: Open redirection via browser-sanitized URLs
Versions concerned
Symfony versions =6, =7, <7.1.7.
Description
By exploiting special characters in a URL, an attacker could hijack a redirect based on the class Request to send users to another domain.
Resolution
The method Request::create now checks URIs for invalid characters.
See the official Symfony article.
Twig CVE-2024-51754: Unprotected calls to __toString() in a sandbox
Versions concerned
Twig versions =3.12, <3.14.1.
Description
In a sandbox environment, an attacker could call the __toString() of an object, even if this method was not authorized by the security policy, opening the door to a circumvention of sandbox restrictions.
Resolution
Sandbox mode now systematically checks the call to __toString() on all objects.
See the official Symfony article.
Twig CVE-2024-51755: Unprotected calls to __isset() and Array object accesses in a sandbox
Versions concerned
Twig versions =3.12, <3.14.1.
Description
In a sandbox environment, array-like objects could expose attributes without security checks. This allowed an attacker to access potentially sensitive properties.
Resolution
Sandbox mode now controls the properties of Array objects and the call to __isset() after safety check.
See the official Symfony article.
Conclusion and recommendations from LRob
These eight flaws show that even the most robust frameworks like Symfony are not immune to security vulnerabilities. Fortunately, the Symfony team reacted quickly to provide patches. And as it should be, the vulnerabilities were only made public after they had been patched. If you're using Symfony, make sure you update as soon as possible to protect your applications and your users.
Never forget that no software solution is free from security flaws. Your vigilance must be continuous, and regular updates remain the best line of defense against security flaws and cyberthreats.
At LRob, our servers offer optimal security:
- No Windows vulnerability : As our servers run on Linux, they are not affected by Windows-specific vulnerabilities.
- Server application update Server software is updated daily and monitored 24/7.
- ModSecurity firewall : By actively filtering malicious requests, our firewall protects your applications.
- Outsourced backups : We have daily outsourced backups to facilitate data recovery in the event of an incident, and you can also make your own backups to the FTP of your choice (e.g. via a VPS Storage Cloud from PulseHeberg) via Plesk.
Leave a Reply