CVE-2019-11043: Vulnerability in PHP-FPM Could Lead to Remote Code Execution on nginx
Web servers using nginx and PHP-FPM are vulnerable to this flaw under certain conditions.
Contexto
On October 22, security researcher Omar Ganiev published a tweet regarding a “freshly patched” remote code execution vulnerability in PHP-FPM, the FastCGI Process Manager (FPM) for PHP. The tweet includes a link to a GitHub repository containing a proof of concept (PoC) for the vulnerability.
Freshly patched RCE in PHP-FPM:https://t.co/kaVsCStBJx
— BECHED (@ahack_ru) October 22, 2019
Exploit:https://t.co/VLmhxMWVxo
Many nginx+PHP configurations vulnerable, watch out!
Análise
CVE-2019-11043 is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. The vulnerability was first reported to the PHP bug-tracker by security researcher Emil Lerner on September 26, 2019. Lerner also credits Andrew Danau, security researcher at Wallarm, who identified the “anomaly” during a Capture The Flag competition in September 2019, and Ganiev for helping to finalize the php.ini options for the PoC.
According to Lerner, under certain configurations where a web server is using nginx and PHP-FPM, the vulnerability can be exploited to gain remote code execution. These configurations require a certain set of preconditions in order for it to be exploitable. These preconditions include:
- The nginx location directive forwards requests to PHP-FPM
- The fastcgi_split_path_info directive is present and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol
- The fastcgi_param directive is used to assign the PATH_INFO variable
- There are no checks in place to determine whether or not a file exists (e.g., using try_files or an if statement)
It appears such configurations and preconditions are not uncommon. According to a recent tweet, Nextcloud, the open-source file hosting software, originally recommended the vulnerable nginx configuration in their installation documentation. Nextcloud has since changed the documentation following the tweet that reported it.
NOTICE THIS TWEET : https://t.co/x68iNP6F7u
— Henry Chen (@chybeta) October 24, 2019
recommended configuration for nextcloud with nginx and php-fpm is vulnerable...#bugbounty #bugbountytip #bugbountytips pic.twitter.com/cAqptRR0Ez
The PoC script included in the GitHub repository can query a target web server to identify whether or not it is vulnerable by sending specially crafted requests. Once a vulnerable target has been identified, attackers can send specially crafted requests by appending “?a=
Prova de conceito
The PoC script is available in the following GitHub repository.
Solução
On October 24, PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) were released to address this vulnerability along with other scheduled bug fixes. Those using nginx with PHP-FPM are encouraged to upgrade to a patched version as soon as possible.
If patching is not feasible, the suggested workaround is to include checks to verify whether or not a file exists. This is achieved either by including the try_files directive or using an if statement, such as if (-f $uri).
Identificação de sistemas afetados
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Obtenha mais informações
- PHP Bug-Tracker Entry for CVE-2019-11043
- Wallarm Blog Post on Discovery of the PHP-FPM Flaw
- GitHub Repository with Proof-of-Concept for CVE-2019-11043
Junte-se à equipe de resposta de segurança da Tenable na Tenable.
Saiba mais sobre a Tenable, a primeira plataforma de Cyber Exposure para o gerenciamento holístico da sua superfície de ataque moderna.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Artigos relacionados
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Vulnerability Management