CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2020-011

DATE(S) ISSUED:

01/24/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for arbitrary code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • PHP 7.2 Prior to Version 7.2.27
  • PHP 7.3 Prior to Version 7.3.14
  • PHP 7.4 Prior to Version 7.4.2

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: N/A
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as below:

Version 7.2.27

  • Bug #79037 (global buffer-overflow in mbfl_filt_conv_big5_wchar). (CVE-2020-7060)
  • Bug #79091 (heap use-after-free in session_create_id())
  • Bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)

Version 7.3.14

  • Bug #78999 (Cycle leak when using function result as temporary)
  • Bug #79033 (Curl timeout error with specific url and post)
  • Bug #79015 (undefined-behavior in php_date.c)
  • Bug #78808 ([LMDB] MDB_MAP_FULL: Environment mapsize limit reached)
  • Bug #74170 (locale information change after mime_content_type)
  • Bug #78923 (Artifacts when convoluting image with transparency)
  • Bug #79067 (gdTransformAffineCopy() may use unitialized values)
  • Bug #79068 (gdTransformAffineCopy() changes interpolation method)
  • Bug #79029 (Use After Free's in XMLReader / XMLWriter)
  • Bug #79037 (global buffer-overflow in mbfl_filt_conv_big5_wchar)
  • Bug #79040 (Warning Opcode handlers are unusable due to ASLR)
  • Bug #78402 (Converting null to string in error message is bad DX)
  • Bug #78983 (pdo_pgsql config.w32 cannot find libpq-fe.h)
  • Bug #78980 (pgsqlGetNotify() overlooks dead connection)
  • Bug #78982 (pdo_pgsql returns dead persistent connection)
  • Bug #79091 (heap use-after-free in session_create_id())
  • Bug #78538 (shmop memory leak)
  • Bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)
  • Bug #54298 (Using empty additional_headers adding extraneous CRLF)

Version 7.4.2

  • Bug #79022 (class_exists returns True for classes that are not ready to be used)
  • Bug #78929 (plus signs in cookie values are converted to spaces)
  • Bug #78973 (Destructor during CV freeing causes segfault if opline never saved)
  • Bug #78776 (Abstract method implementation from trait does not check "static")
  • Bug #78999 (Cycle leak when using function result as temporary)
  • Bug #79008 (General performance regression with PHP 7.4 on Windows)
  • Bug #79002 (Serializing uninitialized typed properties with __sleep makes unserialize throw)
  • Bug #79033 (Curl timeout error with specific url and post)
  • Bug #79063 (curl openssl does not respect PKG_CONFIG_PATH)
  • Bug #79015 (undefined-behavior in php_date.c)
  • Bug #78808 ([LMDB] MDB_MAP_FULL: Environment mapsize limit reached)
  • Bug #79046 (NaN to int cast undefined behavior in exif)
  • Bug #74170 (locale information change after mime_content_type)
  • Bug #79067 (gdTransformAffineCopy() may use unitialized values)
  • Bug #79068 (gdTransformAffineCopy() changes interpolation method)
  • Bug #79029 (Use After Free's in XMLReader / XMLWriter)
  • Bug #79037 (global buffer-overflow in mbfl_filt_conv_big5_wchar). (CVE-2020-7060)
  • Bug #78961 (erroneous optimization of re-assigned $GLOBALS)
  • Bug #78950 (Preloading trait method with static variables)
  • Bug #78903 (Conflict in RTD key for closures results in crash)
  • Bug #78986 (Opcache segfaults when inheriting ctor from immutable into mutable class)
  • Bug #79040 (Warning Opcode handlers are unusable due to ASLR)
  • Bug #79055 (Typed property become unknown with OPcache file cache)
  • Bug #78402 (Converting null to string in error message is bad DX)
  • Bug #78983 (pdo_pgsql config.w32 cannot find libpq-fe.h)
  • Bug #78980 (pgsqlGetNotify() overlooks dead connection)
  • Bug #78982 (pdo_pgsql returns dead persistent connection)
  • Bug #79091 (heap use-after-free in session_create_id())
  • Bug #79031 (Session unserialization problem)
  • Bug #78538 (shmop memory leak)
  • Bug #79056 (sqlite does not respect PKG_CONFIG_PATH during compilation)
  • Bug #78976 (SplFileObject::fputcsv returns -1 on failure)
  • Bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)
  • Bug #79000 (Non-blocking socket stream reports EAGAIN as error)
  • Bug #54298 (Using empty additional_headers adding extraneous CRLF)

Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Upgrade to the latest version of PHP immediately, after appropriate testing.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0

Pencil White paper 26 Oct 2020