CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2019-005

DATE(S) ISSUED:

01/10/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • PHP 5.1 prior to 5.6.40
  • PHP 7.1 prior to 7.1.26
  • PHP 7.2 prior to 7.2.14
  • PHP 7.3 prior to 7.3.1

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code. Details of these vulnerabilities are as below:

Version 5.6.40

  • Bug #77242 (heap out of bounds read in xmlrpc_decode()).
  • Bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
  • Bug #77269 (efree() on uninitialized Heap data in imagescale leads to
  • Bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
  • Bug #77370 (buffer overflow on mb regex functions - fetch_token).
  • Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
  • Bug #77380 (global out of bounds read in xmlrpc base64 code).
  • Bug #77381 (heap buffer overflow in multibyte match_at).
  • Bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
  • Bug #77385 (buffer overflow in fetch_token).
  • Bug #77394 (buffer overflow in multibyte case folding - unicode).
  • Bug #77418 (heap overflow in utf32be_mbc_to_code).

Version 7.1.26

  • Bug #77020 (null pointer dereference in imap_mail).
  • Bug #77242 (heap out of bounds read in xmlrpc_decode()).
  • Bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
  • Bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
  • Bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
  • Bug #77369 (memcpy with negative length via crafted DNS response).
  • Bug #77370 (buffer overflow on mb regex functions - fetch_token).
  • Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
  • Bug #77380 (global out of bounds read in xmlrpc base64 code).
  • Bug #77381 (heap buffer overflow in multibyte match_at).
  • Bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
  • Bug #77385 (buffer overflow in fetch_token).
  • Bug #77394 (buffer overflow in multibyte case folding - unicode).
  • Bug #77418 (heap overflow in utf32be_mbc_to_code).

Version 7.2.14

  • Bug #71041 (zend_signal_startup() needs ZEND_API).
  • Bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
  • Bug #76804 (oci_pconnect with OCI_CRED_EXT not working).
  • Bug #77020 (null pointer dereference in imap_mail).
  • Bug #77051 (Issue with re-binding on SQLite3).
  • Bug #77097 (DateTime::diff gives wrong diff when the actual diff is less than 1 second).
  • Bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
  • Bug #77177 (serializing or unserializing COM objects crashes).
  • Bug #77184 (unsigned rational numbers are written out as signed rationals).
  • Bug #77195 (incorrect error handling of imagecreatefromjpeg()).
  • Bug #77198 (auto cropping has insufficient precision).
  • Bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
  • Bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block).
  • Bug #77242 (heap out of bounds read in xmlrpc_decode()).
  • Bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
  • Bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
  • Bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
  • Bug #77369 (memcpy with negative length via crafted DNS response).
  • Bug #77370 (buffer overflow on mb regex functions - fetch_token).
  • Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
  • Bug #77380 (global out of bounds read in xmlrpc base64 code).
  • Bug #77381 (heap buffer overflow in multibyte match_at).
  • Bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
  • Bug #77385 (buffer overflow in fetch_token).
  • Bug #77394 (buffer overflow in multibyte case folding - unicode).
  • Bug #77418 (heap overflow in utf32be_mbc_to_code).

Version 7.3.1

  • Bug #71041 (zend_signal_startup() needs ZEND_API).
  • Bug #76046 (PHP generates "FE_FREE" opcode on the wrong line).
  • Bug #76654 (build failure on Mac OS X on 32-bit Intel).
  • Bug #76804 (oci_pconnect with OCI_CRED_EXT not working).
  • Bug #77051 (Issue with re-binding on SQLite3).
  • Bug #77088 (segfault when using SoapClient with null options).
  • Bug #77136 (unsupported IPV6_RECVPKTINFO constants on macOS).
  • Bug #77177 (serializing or unserializing COM objects crashes).
  • Bug #77184 (unsigned rational numbers are written out as signed rationals).
  • Bug #77193 (infinite loop in preg_replace_callback).
  • Bug #77195 (incorrect error handling of imagecreatefromjpeg()).
  • Bug #77198 (auto cropping has insufficient precision).
  • Bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
  • Bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block).
  • Bug #77242 (heap out of bounds read in xmlrpc_decode()).
  • Bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
  • Bug #77264 (curl_getinfo returning microseconds not seconds).
  • Bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
  • Bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
  • Bug #77275 (OPcache optimization problem for ArrayAccess->offsetGet).
  • Bug #77291 (magic methods inherited from a trait may be ignored).
  • Bug #77297 (SodiumException segfaults on PHP 7.3).
  • Bug #77359 (spl_autoload causes segfault).
  • Bug #77360 (class_uses causes segfault).
  • Bug #77367 (negative size parameter in mb_split).
  • Bug #77370 (buffer overflow on mb regex functions - fetch_token).
  • Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
  • Bug #77380 (global out of bounds read in xmlrpc base64 code).
  • Bug #77381 (heap buffer overflow in multibyte match_at).
  • Bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
  • Bug #77385 (buffer overflow in fetch_token).
  • Bug #77394 (buffer overflow in multibyte case folding - unicode).
  • Bug #77418 (heap overflow in utf32be_mbc_to_code).

Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Upgrade to the latest version of PHP immediately, after appropriate testing.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0

Pencil Blog post 20 May 2019
CONTROL: 4 --- ADVISORY CONTROL: 0