CVE-2017-14143
📋 TL;DR
CVE-2017-14143 is a critical vulnerability in Kaltura video platforms that allows remote attackers to bypass authentication and execute arbitrary PHP code through PHP object injection. This affects all Kaltura installations before version 13.2.0 that use the default configuration. Attackers can gain complete control over affected systems.
💻 Affected Systems
- Kaltura Community Edition
- Kaltura SaaS
- Kaltura On-Prem
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing remote code execution, data theft, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to web server compromise, data exfiltration, and potential ransomware deployment.
If Mitigated
Limited impact with proper network segmentation, WAF rules blocking malicious cookies, and restricted PHP execution environments.
🎯 Exploit Status
Multiple public exploits exist (Exploit-DB 43028, 43876). Attack requires crafting a malicious userzone cookie with predictable signature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.2.0
Vendor Advisory: https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9
Restart Required: Yes
Instructions:
1. Backup your Kaltura installation. 2. Upgrade to Kaltura version 13.2.0 or later. 3. Restart all Kaltura services. 4. Verify the patch is applied by checking the getUserzoneCookie function implementation.
🔧 Temporary Workarounds
WAF Rule for Userzone Cookie Blocking
allConfigure web application firewall to block or sanitize malicious userzone cookies
# Example ModSecurity rule:
SecRule REQUEST_COOKIES:userzone "@rx malicious_pattern" "id:100976,phase:2,deny,status:403,msg:'CVE-2017-14143 exploit attempt'"
# Example nginx rule:
if ($http_cookie ~* "userzone=[^;]*malicious[^;]*") { return 403; }
Disable Userzone Cookie Functionality
linuxTemporarily disable or override the vulnerable getUserzoneCookie function
# Create override file in Kaltura installation:
# File: /opt/kaltura/app/configurations/override.ini
# Add: getUserzoneCookie.enabled = false
# Alternative: Modify getUserzoneCookie to return null immediately
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Kaltura servers from sensitive systems
- Deploy web application firewall with rules specifically targeting userzone cookie manipulation
🔍 How to Verify
Check if Vulnerable:
Check Kaltura version: if version < 13.2.0, system is vulnerable. Also check if getUserzoneCookie function uses hardcoded secret (search codebase for 'userzone' cookie handling).Check Version:
grep -r "KALTURA_VERSION" /opt/kaltura/app/configurations/ 2>/dev/null || kaltura-versionVerify Fix Applied:
Verify Kaltura version is >= 13.2.0. Check that getUserzoneCookie function no longer uses hardcoded secret (inspect commit 6a6d14328b7a1493e8c47f9565461e5f88be20c9 changes).📡 Detection & Monitoring
Log Indicators:
- Unusual userzone cookie values in web server logs
- PHP unserialize errors or warnings
- Unexpected process execution from web server user
Network Indicators:
- HTTP requests with unusually long or structured userzone cookies
- Outbound connections from Kaltura server to unknown destinations
SIEM Query:
source="web_server_logs" AND (userzone="*O:*" OR userzone="*C:*" OR userzone="*a:*" OR userzone="*s:*")🔗 References
- http://www.securityfocus.com/bid/100976
- https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682
- https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt
- https://www.exploit-db.com/exploits/43028/
- https://www.exploit-db.com/exploits/43876/
- http://www.securityfocus.com/bid/100976
- https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682
- https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txt
- https://www.exploit-db.com/exploits/43028/
- https://www.exploit-db.com/exploits/43876/
