openITCOCKPIT Gearman Worker Unsafe Deserialization Vulnerability Allowing PHP Object Injection

A vulnerability exists in openITCOCKPIT Community Edition versions through 5.3.1, specifically within the Gearman worker implementation. The issue arises from unsafe deserialization, where the worker function 'oitc_gearman' uses PHP's 'unserialize()' on job payloads without proper validation or class restrictions. This flaw can lead to PHP Object Injection in the worker process, particularly in environments where the Gearman service or worker is exposed to untrusted systems. Exploitation is possible when Gearman is accessible over the network, especially on non-local interfaces, or when untrusted systems can enqueue jobs. Although the vulnerability may not be immediately exploitable in default, well-configured deployments, the risk remains if the application is misconfigured or if the trust assumptions are violated.

Impact

Exploitation of this vulnerability allows for unsafe deserialization, which can be leveraged to inject arbitrary PHP objects into the application. This could be used to trigger magic methods, such as '__wakeup' or '__destruct', potentially leading to remote code execution, unauthorized file system modifications, disclosure of sensitive information, or a persistent compromise of the worker environment.

Reproduction

To reproduce this vulnerability, first ensure that the Gearman worker is running and accessible over the network. Then, send a crafted serialized payload to the 'oitc_gearman' function using Gearman's command-line interface. The payload should be designed to exploit the deserialization vulnerability, such as by using a PHP object that, when unserialized, executes arbitrary code or modifies the file system.

Remediation

Users are advised to update to openITCOCKPIT version 5.4.0, where this vulnerability has been fixed. In addition, restrict Gearman to localhost or private networks, enforce strict firewall rules, and avoid exposing Gearman to untrusted or multi-tenant environments.