Hello, welcome to the Wednesday, August 18th, 2021 edition of the Santernet Storm Center's Stormcast. My name is Johannes Ulrich,

and the I'm recording from Stockholm, Germany. La Ravel, a PHP framework that includes a component called

Ignition, whose main purpose is to make debugging easier and

also display prior error messages.

Well, it turns out that in older versions of Larravel, that's 842 and earlier, this component

suffered a remote code execution vulnerability that we are now seeing exploited.

The vulnerability is being tracked as CVE 2021-31-29. It was discovered or at least patched fairly early this year, exploit attempts will be able to modify

variables and execute arbitrary code. What we are seeing so far are attempts to essentially

detect if a server is vulnerable. No actual exploit seen yet, but our honeypots also are not

vulnerable, so we probably don't yet see that second part that actually then would load

some kind of exploit payload. First of all, components and frameworks like Laravel need to be

regularly updated. This is not the only

vulnerability that has affected Laravel in the past. But on the other hand, the ignition

component is specifically meant for debugging. So it's only being enabled if Larval

is running in debug mode.

This is a configuration setting.

So you don't actually need to uninstall here anything on a live server.

You just need to make sure that the live version of a site is running in the correct configuration.

So this debug code is not loaded. And regardless,

the remote code execution vulnerability, you never really should run a life site in debug

mode like this and provide attackers with very nice looking and detailed error messages.

And the fire I disclosed limited details regarding a vulnerability in the ThruTech Kalea protocol.

...