CVE-2021-3007
published 2021-01-04CVE-2021-3007: Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.31%
99.5th percentile
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getlaminas | laminas-http | < 2.14.2 | 2.14.2 |
| laminas | laminas-http | >= 0 < 2.14.2 | 2.14.2 |
| openmage | magento | < 19.4.13 | 19.4.13 |
| openmage | magento | >= 20.0.0 < 20.0.9 | 20.0.9 |
| openmage | magento-lts | <= 19.4.12 | — |
| openmage | magento-lts | >= 0 < 19.4.13 | 19.4.13 |
| openmage | magento-lts | >= 20.0.0 < 20.0.9 | 20.0.9 |
| zend | zend_framework | — | — |
| zendframework | zendframework | 0 – 3.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/zend3/public/
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/zend3/public/"; fast_pattern; http.request_body; content:"zend"; nocase; content:"validator"; nocase; distance:0; content:"callback"; nocase; distance:0; content:"file_put_contents"; nocase; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2021-3007; classtype:attempted-admin; sid:2031536; rev:2; metadata:created_at 2021_01_22, cve CVE_2021_3007, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_25;)
bytes
TzoyNToiWmVuZFxIdHRwXFJlc3BvbnNlXFN0cmVhbSI6Mjp7czoxMDoiACoAY2xlYW51cCI7YjoxO3M6MTM6IgAqAHN0cmVhbU5hbWUiO086MjU6IlplbmRcVmlld1xIZWxwZXJcR3JhdmF0YXIiOjI6e3M6NzoiACoAdmlldyI7TzozMDoiWmVuZFxWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyIjoxOntzOjQxOiIAWmVuZFxWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyAF9faGVscGVycyI7TzoxODoiWmVuZFxDb25maWdcQ29uZmlnIjoxOntzOjc6IgAqAGRhdGEiO2E6Mjp7czoxMDoiZXNjYXBlaHRtbCI7czo2OiJzeXN0ZW0iO3M6MTQ6ImVzY2FwZWh0bWxhdHRyIjtzOjc6InBocGluZm8iO319fXM6MTM6IgAqAGF0dHJpYnV0ZXMiO2E6MTp7
bytes
TzoyODoiTGFtaW5hc1xIdHRwXFJlc3BvbnNlXFN0cmVhbSI6Mjp7czoxMDoiACoAY2xlYW51cCI7YjoxO3M6MTM6IgAqAHN0cmVhbU5hbWUiO086Mjg6IkxhbWluYXNcVmlld1xIZWxwZXJcR3JhdmF0YXIiOjI6e3M6NzoiACoAdmlldyI7TzozMzoiTGFtaW5hc1xWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyIjoxOntzOjQ0OiIATGFtaW5hc1xWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyAF9faGVscGVycyI7TzoyMToiTGFtaW5hc1xDb25maWdcQ29uZmlnIjoxOntzOjc6IgAqAGRhdGEiO2E6Mjp7czoxMDoiZXNjYXBlaHRtbCI7czo2OiJzeXN0ZW0iO3M6MTQ6ImVzY2FwZWh0bWxhdHRyIjtzOjc6InBocGluZm8iO319fXM6MTM6IgAqAGF0dHJpYnV0ZXMiO2E6MTp7
- →FreakOut bots communicate over IRC. Detect outbound IRC connections where the NICK message matches the pattern '[HAX|' prefix, indicating a FreakOut bot registration. ↗
- →The malware gains persistence by adding itself to rc.local. Monitor for modifications to /etc/rc.local by unexpected processes. ↗
- →Shodan query 'http.html:"laminas"' can be used to identify exposed Laminas/Zend Framework instances potentially vulnerable to CVE-2021-3007.
- →CVE-2021-3007 was actively exploited by the FreakOut botnet alongside CVE-2020-28188 (TerraMaster TOS) and CVE-2020-7961 (Liferay Portal). Detections for any one of these CVEs should prompt investigation for the other two. ↗
- ·The out.py malware is polymorphically re-obfuscated on every download — function names and variable names change each time, making static hash-based detection unreliable. ↗
- ·All C2 connection credentials (IRC server, channel, key) are obfuscated and encoded multiple times within the malware code itself, requiring dynamic analysis or code unpacking to extract. ↗
- ·The Nuclei template exploit requires attacker-controlled serialized data to be submitted as a POST body parameter; the specific parameter name ('hello' in the template) may vary in real-world exploitation.
- ·Zend Framework is no longer supported upstream; patches for CVE-2021-3007 were backported to magento-lts (versions 19.4.13 and 20.0.9) from Zend Framework 3, and the canonical fix is to migrate to laminas-http >= 2.14.2. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote code execution in zendframework and laminas-http
osv·2021-06-08
CVE-2021-3007 [CRITICAL] Remote code execution in zendframework and laminas-http
Remote code execution in zendframework and laminas-http
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized.
GHSA
Remote code execution in zendframework and laminas-http
ghsa·2021-06-08
CVE-2021-3007 [CRITICAL] CWE-502 Remote code execution in zendframework and laminas-http
Remote code execution in zendframework and laminas-http
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized.
OSV
Fixes a bug in Zend Framework's Stream HTTP Wrapper
osv·2021-04-22·CVSS 9.8
CVE-2021-21426 [CRITICAL] Fixes a bug in Zend Framework's Stream HTTP Wrapper
Fixes a bug in Zend Framework's Stream HTTP Wrapper
### Impact
CVE-2021-3007: Backport of Zend_Http_Response_Stream, added certain type checking as a way to prevent exploitation. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007
This vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the attacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
v20.0.9 v19.4.13
GHSA
Fixes a bug in Zend Framework's Stream HTTP Wrapper
ghsa·2021-04-22·CVSS 9.8
CVE-2021-21426 [CRITICAL] CWE-502 Fixes a bug in Zend Framework's Stream HTTP Wrapper
Fixes a bug in Zend Framework's Stream HTTP Wrapper
### Impact
CVE-2021-3007: Backport of Zend_Http_Response_Stream, added certain type checking as a way to prevent exploitation. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007
This vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the attacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
v20.0.9 v19.4.13
VulnCheck
getlaminas laminas-http Deserialization of Untrusted Data
vulncheck·2021·CVSS 9.8
CVE-2021-3007 [CRITICAL] getlaminas laminas-http Deserialization of Untrusted Data
getlaminas laminas-http Deserialization of Untrusted Data
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Affected: getlaminas laminas-http
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations ar
Suricata
ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)
suricata·2021-01-22·CVSS 9.8
CVE-2021-3007 [CRITICAL] ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)
ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/zend3/public/"; fast_pattern; http.request_body; content:"zend"; nocase; content:"validator"; nocase; distance:0; content:"callback"; nocase; distance:0; content:"file_put_contents"; nocase; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2021-3007; classtype:attempted-admin; sid:2031536; rev:2; metadata:created_at 2021_01_22, cve CVE_2021_3007, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03
Nuclei
Laminas Project laminas-http - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-3007 [CRITICAL] Laminas Project laminas-http - Remote Code Execution
Laminas Project laminas-http - Remote Code Execution
Laminas Project laminas-http < 2.14.2 and Zend Framework 3.0.0 contain a deserialization vulnerability caused by __destruct method in Zend\\Http\\Response\\Stream, letting attackers control content lead to remote code execution, exploit requires attacker-controlled serialized data.
Template:
id: CVE-2021-3007
info:
name: Laminas Project laminas-http - Remote Code Execution
author: 0xanis
severity: critical
description: |
Laminas Project laminas-http < 2.14.2 and Zend Framework 3.0.0 contain a deserialization vulnerability caused by __destruct method in Zend\\Http\\Response\\Stream, letting attackers control content lead to remote code execution, exploit requires attacker-controlled serialized data.
impact: |
Attackers can execute arb
Securelist
Cyberthreats to financial organizations in 2022
blogs_securelist·2021-11-23
Cyberthreats to financial organizations in 2022
Table of Contents
Analysis of forecasts for 2021
Key events in 2021
Forecasts for 2022
Authors
Dmitry Bestuzhev
Santiago Pontiroli
Fabio Assolini
Seongsu Park
## A look back on the year 2021 and what to expect in 2022
First of all, we are going to analyze the forecasts we made at the end of 2020 and see how accurate they were. Then we will go through the key events of 2021 relating to attacks on financial organizations. Finally, we will make some forecasts about financial attacks in 2022.
## Analysis of forecasts for 2021
The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime, including cybercrime. We might see certain economies crashing and local currencies plummeting, which would make Bitcoin thef
Securelist
DDoS attacks in Q1 2021
blogs_securelist·2021-05-10·CVSS 9.8
[CRITICAL] DDoS attacks in Q1 2021
Table of Contents
News overview
Quarter trends
Statistics
Methodology
Quarter summary
Attack geography
DDoS attack dynamics
Duration and types of DDoS attacks
Botnet distribution geography
Conclusion
Authors
Alexander Gutnikov
Oleg Kupreev
Ekaterina Badovskaya
## News overview
Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices . Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007 . Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.
Another active bot focused on Android devices with the ADB (Android Debug Bridge) debug interface. The botnet was dubbed Matryosh (from the Russian
Securelist
DDoS attacks in Q1 2021
blogs_securelist·2021-05-10·CVSS 9.8
CVE-2021-3007 [CRITICAL] DDoS attacks in Q1 2021
Table of Contents
- News overview
- Quarter trends
- Statistics
- Conclusion
Authors
- Alexander Gutnikov
- Oleg Kupreev
- Ekaterina Badovskaya
## News overview
Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.
Another active bot focused on Android devices with the ADB (Android Debug Bridge) debug interface. The botnet was dubbed Matryosh (from the Russian word matryoshka — nesting doll) due to the multi-step process for obtaining the C&C address. It is not the first bot to attack m
Checkpoint
FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet
blogs_checkpoint·2021-01-19·CVSS 9.8
CVE-2020-28188 [CRITICAL] FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet
Research By: Omer Ventura, Ori Hamama, Network Research
## Introduction
Recently, Check Point Research encountered se
Greynoiseio
How to Identify & Disrupt C2s Using Graph Analysis
blogs_greynoiseio
How to Identify & Disrupt C2s Using Graph Analysis
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.mdhttps://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.phphttps://github.com/laminas/laminas-http/pull/48https://github.com/laminas/laminas-http/releases/tag/2.14.2https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.mdhttps://github.com/laminas/laminas-http/commits/2.15.x/src/Response/Stream.phphttps://github.com/laminas/laminas-http/pull/48https://github.com/laminas/laminas-http/releases/tag/2.14.2https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
2021-01-04
Published
Exploited in the wild