📄 Description (English)
PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability — PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.
🤖 AI Executive Summary
CVE-2020-28949 is a critical deserialization vulnerability in PEAR Archive_Tar that allows remote code execution through case-sensitive bypass of phar: protocol blocking. The vulnerability affects PEAR Archive_Tar versions used in widely-deployed applications like Drupal Core, making it a significant threat to web applications across Saudi organizations. Exploitation requires uploading a malicious tar archive, but the availability of public exploits elevates the risk substantially.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 19, 2026 07:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses critical risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), e-commerce platforms, and healthcare providers using Drupal or PEAR-based applications. Saudi telecommunications companies (STC, Mobily) and energy sector organizations using affected frameworks are at elevated risk. Government digital transformation initiatives and ARAMCO-affiliated IT systems utilizing Drupal are particularly vulnerable. The ability to achieve remote code execution could lead to data breaches, financial fraud, and critical infrastructure compromise.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated)
Government and Public Administration (NCA oversight)
E-commerce and Retail
Healthcare and Medical Services
Telecommunications (STC, Mobily, Zain)
Energy and Utilities (ARAMCO-affiliated)
Education and Universities
Media and Publishing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running PEAR Archive_Tar, particularly Drupal installations (check /vendor/pear/archive_tar/ directory)
2. Disable file upload functionality if not critical until patching is complete
3. Implement Web Application Firewall (WAF) rules to block requests containing 'PHAR:' (uppercase) in tar file headers
PATCHING:
1. Update PEAR Archive_Tar to version 1.4.11 or later immediately
2. For Drupal installations: Update to Drupal 9.1.0+ or apply security patches for earlier versions
3. Verify patch application by checking Archive_Tar version: composer show pear/archive_tar
COMPENSATING CONTROLS (if immediate patching unavailable):
1. Restrict tar file uploads to authenticated users only
2. Implement strict file type validation (magic bytes verification, not just extension checking)
3. Process uploaded tar files in isolated sandboxed environment
4. Disable PHP execution in upload directories via .htaccess or web server configuration
DETECTION:
1. Monitor for HTTP requests with 'PHAR:' (uppercase) in POST/file upload parameters
2. Alert on tar file uploads followed by PHP execution attempts
3. Log and review all Archive_Tar deserialization operations
4. Monitor for suspicious process execution from web server user context
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بـ PEAR Archive_Tar، خاصة تثبيتات Drupal (تحقق من دليل /vendor/pear/archive_tar/)
2. تعطيل وظيفة تحميل الملفات إذا لم تكن حرجة حتى اكتمال التصحيح
3. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على 'PHAR:' (أحرف كبيرة) في رؤوس ملفات tar
التصحيح:
1. تحديث PEAR Archive_Tar إلى الإصدار 1.4.11 أو أحدث فوراً
2. لتثبيتات Drupal: التحديث إلى Drupal 9.1.0+ أو تطبيق التصحيحات الأمنية للإصدارات السابقة
3. التحقق من تطبيق التصحيح بفحص إصدار Archive_Tar: composer show pear/archive_tar
الضوابط البديلة (إذا تعذر التصحيح الفوري):
1. تقييد تحميل ملفات tar للمستخدمين المصرح لهم فقط
2. تطبيق التحقق الصارم من نوع الملف (التحقق من البايتات السحرية، وليس فقط فحص الامتداد)
3. معالجة ملفات tar المحملة في بيئة معزولة محمية
4. تعطيل تنفيذ PHP في دلائل التحميل عبر .htaccess أو إعدادات خادم الويب
الكشف:
1. مراقبة طلبات HTTP التي تحتوي على 'PHAR:' (أحرف كبيرة) في معاملات POST/تحميل الملفات
2. تنبيه عند تحميل ملفات tar متبوعة بمحاولات تنفيذ PHP
3. تسجيل ومراجعة جميع عمليات فك التسلسل في Archive_Tar
4. مراقبة تنفيذ العمليات المريبة من سياق مستخدم خادم الويب
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Secure development policy and procedures
ECC 2024 A.14.2.5 - Secure development environment
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.3.1 - Event logging
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.DS-6 - Data integrity and authenticity
DE.CM-1 - Detection processes and tools
RS.RP-1 - Response planning
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.12.3.1 - Logging
A.13.1.3 - Segregation of networks
🟣 PCI DSS v4.0
6.2 - Security patches and updates
6.5.1 - Injection flaws
10.2 - Implement automated audit trails
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
PEAR:Archive_Tar