CVE-2024-24752 in bref
Summary
by MITRE • 02/01/2024
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`. The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed. An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files. This vulnerability is patched in 2.1.12.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/18/2024
The vulnerability described in CVE-2024-24752 affects the Bref framework, which enables serverless PHP applications on AWS Lambda platforms. This security flaw specifically impacts environments utilizing the Event-Driven Function runtime where the handler implements the RequestHandlerInterface. The core issue arises during the conversion of Lambda events into PSR7 objects, a process that handles MultiPart request processing in a manner that creates significant operational risks. When MultiPart requests are processed, each file contained within these requests undergoes extraction and temporary storage in the Lambda instance's `/tmp` directory, which is a standard practice for handling file uploads in serverless environments. The system generates random filenames for these temporary files, prefixing them with `bref_upload_` to distinguish them from other temporary files. This approach mirrors conventional PHP behavior but introduces a critical oversight in the cleanup process.
The technical flaw stems from the failure to properly clean up temporary files created during MultiPart request processing, creating a persistent resource leak condition within the Lambda execution environment. This vulnerability represents a classic case of improper resource management, specifically categorized under CWE-400 as "Uncontrolled Resource Consumption" or more precisely CWE-772 as "Missing Release of Resource after Effective Lifetime." The absence of temporary file cleanup means that each processed MultiPart request leaves behind files in the `/tmp` directory, which has limited storage capacity on Lambda instances. The operational impact of this vulnerability is severe as it enables a straightforward denial of service attack through disk space exhaustion. An attacker can repeatedly submit MultiPart requests containing files, causing the Lambda instance's storage to fill up completely, ultimately rendering the function unable to process additional requests or perform its intended operations. This vulnerability directly aligns with ATT&CK technique T1499.001 "Fragging" and T1566.001 "Phishing" as it can be exploited through malicious file uploads to exhaust system resources.
The exploitation of this vulnerability demonstrates how seemingly benign functionality can create significant security risks in serverless environments where resources are constrained and shared. The patch implemented in version 2.1.12 addresses this by ensuring proper cleanup of temporary files after request processing, thereby preventing the accumulation of files in the `/tmp` directory. Organizations using Bref framework should immediately upgrade to version 2.1.12 or later to mitigate this risk. The vulnerability highlights the importance of proper resource management in serverless computing environments where storage space is limited and the cost of resource exhaustion directly impacts application availability and performance. This issue also underscores the need for comprehensive testing of serverless applications, particularly around resource cleanup and temporary file handling, as these aspects often receive less attention during development and security reviews. The fix implemented represents a standard defensive programming practice that should be applied to all serverless applications handling file uploads or temporary data processing to prevent similar vulnerabilities from manifesting in other frameworks or custom implementations.