Tag :
Cyber Security

Description

Introduction to Components

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from the application logic (PHP). This is important in collaborative projects or where the application programmer and the template designer are not the same person.

Summary

The Sangfor Security Team has verified the Smarty sandbox escape vulnerability CVE-2021-26119, classified as critical.

CVE-2021-26119 vulnerability allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode. The vulnerability is found in template files compiled and generated by the engine using the Smarty_Internal_Runtime_TplFunction template. Attackers can exploit this vulnerability to construct malicious data with permission, and ultimately cause remote code execution.

Reproduction

CVE-2021-26119

The Sangfor Security Team established the environment of Smarty 3.1.38 and successfully reproduce this vulnerability as follows:

Impact

Smarty is a well-known template engine written in PHP. There are tens of thousands of unique visitors on the Smarty website daily.

Affected Versions:

Smarty 3.1.38 and earlier versions

Timeline

Feb 18, 2021 Sangfor FarSight Labs detected that Smarty released a security patch.
Feb 25, 2021 Sangfor FarSight Labs reproduced this vulnerability successfully and released solutions.

Learn More

Sangfor FarSight Labs researches the latest and unknown zero-day vulnerabilities and threats, alerting customers to vulnerabilities that can pose threats to their organizations, and providing solutions as soon as possible with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats so our customers can be protected from them as quickly as possible.

Remediation Solution

Smarty has released a new version to fix this vulnerability. Please download it from the following link: https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md

Sangfor Solution

  1. For Sangfor NGAF customers, click Update on Security Capability Update.
  2. Sangfor Cloud WAF has automatically updated its database in the cloud. Users are already protected from this vulnerability without any additional operation required.
  3. Sangfor Cyber Command detects attacks which exploit this vulnerability and can alert users in real time. Users can integrate Cyber Command with NGAF to block an attacker's IP address.
  4. Sangfor SOC has Sangfor security specialists available 24/7 to help you resolve any security issues. After rule update release, Sangfor security experts check and update the customer's vulnerability detection equipment and perform a vulnerability scan of the customer's network environment to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, the SOC regularly reviews and updates device policies to ensure protection against this vulnerability.


Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Retail Cybersecurity–Risks and Data Breaches in E-commerce

Date : 21 Nov 2024
Read Now
Cyber Security

UN and WHO Warn of Ransomware Healthcare Crisis Becoming a Global Threat

Date : 18 Nov 2024
Read Now
Cyber Security

Election Security: Cyber Fraud Through AI, Deep Fakes, and Social Engineering

Date : 13 Nov 2024
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Platform-X
Sangfor Access Secure

Meet the Author

sangfor building image

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail