After a flawless year, Symfony unveiled on 6 November 2024 on its blog eight vulnerabilities in one go. They affect different versions of the Symfony framework. Here is a summary of these critical vulnerabilities, their potential impact, and the solutions implemented by Symfony. It should help you understand the implications of these vulnerabilities for securing your applications.
Contents
Introduction
Even the most renowned frameworks like Symfony are never immune to security flaws. Whatever application solution you choose, you need to be vigilant. Security features such as a ModSecurity application firewall and automatic attacker blocking (fail2ban), combined with a good outsourced backup policy, are essential.
On LRob secure web hosting, our Linux servers help to ensure your application security thanks to ModSecurity combined with fail2ban, which actively blocks attempts to exploit vulnerabilities; full outsourced backups are made every day with a one-year retention period. Choose LRob as your hosting provider, means taking advantage of a simple, secure hosting solution while adding a rigorous, available and passionate sysadmin to your team!
Symfony security holes (November 2024)
CVE-2024-51736: Hijacking command execution on Windows with the Process class
Versions concerned
Symfony versions =6, =7, <7.1.7.
Description
This vulnerability allows execution to be hijacked on Windows systems when the executable file cmd.exe is in the current working directory. The class Process could then execute this file, paving the way for malicious hijacking.
Resolution
Symfony has fixed this problem by forcing the Process to use the absolute path to cmd.exe.
See the official Symfony article.
CVE-2024-50341 : Security::login method ignores custom user_checker
Versions concerned
Symfony versions >=6.2, =7.0, =7.1, <7.1.3.
Description
The method Security::login of Symfony did not take into account the user_checker which could lead to unwanted connections.
Resolution
The patch now implements a call to the user_checker configured.
See the official Symfony article.
CVE-2024-50340: Change of environment via a request
Versions concerned
Symfony versions =6, =7, <7.1.7.
Description
By manipulating a specific query string, users can change the kernel environment or debug mode when a PHP register_argc_argv is activated.
Resolution
The component SymfonyRuntime now ignores argv values for non-CLI environments.
See the official Symfony article.
CVE-2024-50342: Enumeration of internal addresses and ports via NoPrivateNetworkHttpClient
Versions concerned
Symfony versions =6, =7, <7.1.7.
Description
With NoPrivateNetworkHttpClient, certain internal information could still be exposed, enabling an enumeration of IP addresses and ports.
Resolution
The customer NoPrivateNetworkHttpClient now applies filtering of blocked IPs from the start of host resolution.
See the official Symfony article.
CVE-2024-50343 : Incorrect Validator response with an entry ending in \n
Versions concerned
Symfony versions =6, =7, <7.1.4.
Description
Validation using a regular expression could be circumvented by introducing a \n at the end of the input, resulting in an incorrect response from the Validator.
Resolution
Symfony now uses the regex modifier D to guarantee validation of the entire input.
See the official Symfony article.
CVE-2024-50345: Open redirection via URLs «sanitised» by the browser
Versions concerned
Symfony versions =6, =7, <7.1.7.
Description
By exploiting special characters in a URL, an attacker could hijack a redirection based on the Request to send users to another domain.
Resolution
The method Request::create now checks that URIs do not contain invalid characters.
See the official Symfony article.
Twig CVE-2024-51754: Unprotected calls to __toString() in a sandbox
Versions concerned
Twig versions =3.12, <3.14.1.
Description
In a sandbox environment, an attacker could call the __toString() of an object, even if this method was not authorised by the security policy, opening the door to bypassing sandbox restrictions.
Resolution
Sandbox mode now systematically checks the call to __toString() on all objects.
See the official Symfony article.
Twig CVE-2024-51755: Unprotected calls to __isset() and accesses to objects of type Array in a sandbox
Versions concerned
Twig versions =3.12, <3.14.1.
Description
In a sandbox environment, objects resembling arrays could expose attributes without security checks. This allowed an attacker to access potentially sensitive properties.
Resolution
Sandbox mode now controls the properties of objects of type Array and the call to __isset() after a safety check.
See the official Symfony article.
Conclusion and recommendations from LRob
These eight flaws show that even the most robust frameworks like Symfony are not immune to security vulnerabilities. Fortunately, the Symfony team reacted quickly to provide patches. And as is only right and proper, the vulnerabilities were only made public after they had been patched. If you're using Symfony, make sure you update as soon as possible to protect your applications and your users.
Never forget that no software solution is free from security flaws. Your vigilance must be continuous, and regular updates remain the best line of defence against security breaches and cyberthreats.
At LRob, our servers offer optimal security:
- No Windows vulnerability : As our servers run on Linux, they are not affected by Windows-specific vulnerabilities.
- Server application update Server software is updated daily and monitored 24/7.
- ModSecurity firewall By actively filtering malicious requests, our firewall protects your applications.
- Outsourced backups : We have daily outsourced backups to facilitate data recovery in the event of an incident, and you can also make your own backups to the FTP of your choice (for example via a PulseHeberg Storage Cloud VPS) via Plesk.
Leave a Reply
You must be logged in to post a comment.