CVE-2017-5543 Intelliants CVE debrief

Who should care

Administrators and security teams running Subrion CMS 4.0.5 should treat this as high priority, especially if the login endpoint is reachable from untrusted networks. Incident responders should also review any exposed or legacy Subrion installations for signs of abuse.

Technical summary

The vulnerable code path is identified in includes/classes/ia.core.users.php. According to the supplied NVD description, a login request can carry a salt cookie containing crafted serialized data that triggers PHP object injection. NVD classifies the weakness as CWE-94 and assigns a critical network-exploitable CVSS profile with no authentication or user interaction required.

Defensive priority

Immediate

Recommended defensive actions

• Inventory all Subrion CMS deployments and confirm whether any instance is running version 4.0.5.
• Apply the vendor-referenced fix or upgrade path associated with the issue tracker entry as soon as possible.
• If patching cannot be done immediately, restrict access to the login interface to trusted networks or administrative sources only.
• Monitor authentication logs and HTTP request telemetry for unusual login attempts or unexpected serialized cookie values.
• If compromise is suspected, preserve logs, investigate affected hosts, and rotate credentials and secrets used by the application.

Evidence notes

The supplied CVE and NVD data identify Subrion CMS 4.0.5 as vulnerable and describe remote PHP object injection through crafted serialized data in a salt cookie during login. The NVD metadata assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-94. References in the source corpus include an official CVE record, an official NVD detail page, a SecurityFocus advisory entry, and a GitHub issue-tracker reference tagged as Patch and Third Party Advisory. No KEV entry is supplied.

Official resources