[CDP-development] TLP:GREEN (Vulnerability Alert Notification) - CVE-2018-15133: Laravel Deserialization of Untrusted Data Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Tue Jan 16 14:12:38 PST 2024 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2018-15133: Laravel Deserialization of Untrusted Data Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On January 16, 2024, CISA added CVE-2018-15133 to the Known Exploited Vulnerabilities Catalog. CVE-2018-15133 allows for deserialization of untrusted data in older versions of Laravel, the vulnerability has a CVSS score of 8.1.

Vulnerable versions:

  *   Laravel 5.6 and below
Fixed Versions:

  *   Laravel 5.6.30 and higher

Laravel has provided information regarding the vulnerability in their update guide which can be found here; https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30

Intelligence: As of January 16, 2024, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: There are no workarounds at this time.

How it works: Remote command execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could remotely execute code.

As of January 16, 2024, Tenable has not released any plugins for this vulnerability and has no plugins in the pipeline.
Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA4882.7C880BD0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240116/afb38a45/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240116/afb38a45/attachment-0001.png>

More information about the CDP-development mailing list