CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in PHP Could Allow for Denial of Service

MS-ISAC ADVISORY NUMBER:

2020-068

DATE(S) ISSUED:

05/18/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for a denial-of-service condition. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow an attacker to crash the PHP process. This could allow for a denial-of-service condition once the process stops running.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • PHP 7.2.4 Prior to Version 7.3.17
  • PHP 7.3.2 Prior to Version 7.4.5
  • PHP 7.2 Prior to Version 7.2.30

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for a denial-of-service condition. Details of these vulnerabilities are as below:

Version 7.2.30

  • Bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).
  • Bug #79330 (shell_exec() silently truncates after a null byte).
  • Bug #79465 (OOB Read in urldecode()).

Version 7.3.17

  • Bug #79364 (When copy empty array, next key is unspecified).
  • Bug #78210 (Invalid pointer address).
  • Bug #79199 (curl_copy_handle() memory leak).
  • Bug #79396 (DateTime hour incorrect during DST jump forward).
  • Bug #79200 (Some iconv functions cut Windows-1258).
  • Bug #79412 (Opcache chokes and uses 100% CPU on specific script).
  • Bug #79413 (session_create_id() fails for active sessions).
  • Bug #79427 (Integer Overflow in shmop_open()).
  • Bug #61597 (SXE properties may lack attributes and content).
  • Bug #75673 (SplStack::unserialize() behavior).
  • Bug #79393 (Null coalescing operator failing with SplFixedArray).
  • Bug #79330 (shell_exec() silently truncates after a null byte).
  • Bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
  • Bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline).
  • Bug #79296 (ZipArchive::open fails on empty file).
  • Bug #79424 (php_zip_glob uses gl_pathc after call to globfree).

Version 7.3.18

  • Bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
  • Bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
  • Bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant).
  • Bug #79477 (casting object into array creates references).
  • Bug #79470 (PHP incompatible with 3rd party file system on demand).
  • Bug #78784 (Unable to interact with files inside a VFS for Git repository).
  • Bug #78221 (DOMNode::normalize() doesn't remove empty text nodes).
  • Bug #79491 (Search for .user.ini extends up to root dir).
  • Bug #79441 (Segfault in mb_chr() if internal encoding is unsupported).
  • Bug #79497 (stream_socket_client() throws an unknown error sometimes with <1s timeout).
  • Bug #79503 (Memory leak on duplicate metadata).
  • Bug #79528 (Different object of the same xml between 7.4.5 and 7.4.4).
  • Bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).

Version 7.4.5

  • Bug #79364 (When copy empty array, next key is unspecified).
  • Bug #78210 (Invalid pointer address)
  • Bug #79199 (curl_copy_handle() memory leak).
  • bug #79396 (DateTime hour incorrect during DST jump forward).
  • bug #74940 (DateTimeZone loose comparison always true).
  • Bug #79200 (Some iconv functions cut Windows-1258).
  • Bug #79412 (Opcache chokes and uses 100% CPU on specific script).
  • Bug #79413 (session_create_id() fails for active sessions).
  • Bug #79427 (Integer Overflow in shmop_open()).
  • Bug #61597 (SXE properties may lack attributes and content).
  • Bug #79357 (SOAP request segfaults when any request parameter is missing).
  • Bug #75673 (SplStack::unserialize() behavior).
  • Bug #79393 (Null coalescing operator failing with SplFixedArray).
  • Bug #79330 (shell_exec() silently truncates after a null byte).
  • Bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline).
  • Bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
  • Bug #79296 (ZipArchive::open fails on empty file).
  • Bug #79424 (php_zip_glob uses gl_pathc after call to globfree).

Successfully exploiting the most severe of these vulnerabilities could allow an attacker to crash the PHP process. This could allow for a denial-of-service condition once the process stops running.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Upgrade to the latest version of PHP immediately, after appropriate testing.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources



Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0

Pencil Blog post 06 Aug 2020
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0