tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2017-014

DATE(S) ISSUED:

02/21/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow for remote attackers to execute arbitrary code in the context of the affected application. Failed exploitation could result in a denial-of-service condition.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild. There is known proof-of-concept code for these vulnerabilities.

SYSTEMS AFFECTED:

  • PHP 7.0 prior to 7.0.16
  • ·PHP 7.1 prior to 7.1.2

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

PHP has released updates that address multiple vulnerabilities, the most severe of which could allow for arbitrary code execution. These vulnerabilities include:

Prior to 7.0.16

·Bug #67583 (double fastcgi_end_request on max_children limit).

·Bug #73916 (zend_print_flat_zval_r doesn't consider reference).

Prior to 7.1.2

·Bug #69061 (mail.log = syslog contains double information).

·Bug #69865 (php-fpm does not close stderr when using syslog).

·Bug #72898 (PHP_FCGI_CHILDREN is not included in phpinfo()).

·Bug #73374 (intval() with base 0 should detect binary).

·Bug #73692 (Compile ext/openssl with openssl 1.1.0 on Win).

·Bug #73877 (readlink() returns garbage for UTF-8 paths).

·Bug #73904 (php-cgi fails to load -c specified php.ini file).

·Bug #73961 (environmental build dependency in hash sha3 source).

·Bug #73962 (bug with symlink related to cyrillic directory).

·Bug #73978 (openssl_decrypt triggers bug in PDO).

·Bug #73994 (arginfo incorrect for unpack).

Prior to 7.0.16 and 7.1.2

·Bug #47021 (SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked")

·Bug #54382 (getAttributeNodeNS doesn't get xmlns* attributes).

·Bug #69442 (closing of fd incorrect when PTS enabled).

·Bug #69582 (session not readable by root in CLI).

·Bug #69865 (php-fpm does not close stderr when using syslog).

·Bug #69899 (segfault on close() after free_result() with mysqlnd).

·Bug #69993 (test for gmp.h needs to test machine includes).

·Bug #70103 (ZipArchive::addGlob ignores remove_all_path option).

·Bug #70417 (PharData::compress() doesn't close temp file).

·Bug #71219 (configure script incorrectly checks for ttyname_r).

·Bug #71519 (add serial hex to return value array).

·Bug #72974 (imap is undefined service on AIX).

·Bug #72979 (money_format stores wrong length AIX).

·Bug #73876 (Crash when exporting **= in expansion of assign op).

·Bug #73896 (spl_autoload() crashes when calls magic _call()).

·Bug #73933 (error/segfault with ldap_mod_replace and opcache).

·Bug #73949 (leak in mysqli_fetch_object).

·Bug #73956 (Link use CC instead of CXX).

·Bug #73959 (lastInsertId fails to throw an exception for wrong sequence name).

·Bug #73965 (DTrace reported as enabled when disabled).

·Bug #73968 (Premature failing of XBM reading).

·Bug #73969 (segfault in debug_print_backtrace).

·Bug #73973 (assertion error in debug_zval_dump).

·Bug #73983 (crash on finish work with phar in cli + opcache).

Successfully exploiting the most severe of these vulnerabilities could allow for remote attackers to execute arbitrary code in the context of the affected application. Failed exploitation could result in a denial-of-service condition.

RECOMENDATIONS:

We recommend the following actions be taken:

·Upgrade to the latest version of PHP immediately, after appropriate testing.

·Verify no unauthorized system modifications have occurred on system before applying patch.

·Apply the principle of Least Privilege to all systems and services.

·Remind users not to visit websites or follow links provided by unknown or untrusted sources.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 18: Application Software Security