PHP Object Injection in TYPO3 CMS Cache and Registry

Executive Summary

This vulnerability affects TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry), which deserialize PHP payloads without verifying their integrity or restricting the classes they contain.

An attacker who has write access to the underlying storage backend, such as the cache store or the sys_registry database table, can inject a specially crafted serialized payload. This can trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other serious impacts.

Exploitation requires direct local write access to the storage, like the SQL database or file system.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can lead to Remote Code Execution on the affected TYPO3 system.

This means an attacker with write access to the storage backend could execute arbitrary code, potentially compromising the entire system.

Other high-impact effects are also possible through PHP Object Injection, depending on the gadget chain exploited.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves insecure deserialization in TYPO3's cache frontend and persistent key-value store, which requires local write access to the underlying storage such as the SQL database or file system. Detection would involve inspecting these storage backends for suspicious or crafted serialized PHP payloads.

Since exploitation requires direct local write access, detection commands should focus on checking the integrity and contents of the cache storage and sys_registry database table for unexpected or suspicious serialized data.

• For SQL databases, use queries to inspect the sys_registry table for unusual serialized payloads, for example: SELECT * FROM sys_registry WHERE value LIKE '%O:%'; to find serialized PHP objects.
• For file system caches, use commands to search for serialized payloads containing PHP object serialization patterns, e.g., grep -r 'O:' /path/to/typo3/cache/

Additionally, monitoring for unexpected write access or modifications to these storage locations can help detect attempts to inject malicious payloads.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update TYPO3 CMS to a patched version that addresses this vulnerability. The fixed versions are 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS.

The update introduces security measures including the DenyListDeserializer and AuthenticatedMessageDeserializer, which prevent unsafe deserialization by blocking gadget classes and ensuring payload integrity with HMAC.

Until you can update, restrict write access to the underlying storage backends such as the cache store and sys_registry database table to trusted users only, as exploitation requires local write access.

Follow TYPO3 Security Guide recommendations and subscribe to the typo3-announce mailing list for ongoing security updates.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in TYPO3's cache frontend and persistent key-value store allows an attacker with write access to inject crafted serialized payloads, potentially leading to Remote Code Execution or other high-impact effects. Such unauthorized code execution or data manipulation could compromise the confidentiality, integrity, and availability of data managed by TYPO3.

This kind of security flaw can impact compliance with common standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive data against unauthorized access and ensure system integrity. Exploitation of this vulnerability could lead to data breaches or unauthorized data manipulation, thereby violating these regulatory requirements.

Mitigations introduced, such as the DenyListDeserializer and AuthenticatedMessageDeserializer, help prevent exploitation by enforcing integrity checks and blocking dangerous payloads, which supports maintaining compliance by reducing the risk of unauthorized access or data tampering.

Useful 0 Not Useful 0