asty PHP7 remote code execution bug exploited in the wild
Experts warn of a remote code execution vulnerability in PHP7, tracked as CVE-2019-11043, has been exploited in attacks in the wild.
A remote code execution vulnerability in PHP7, tracked as CVE-2019-11043, has been exploited in attacks in the wild.
On October 22, the security expert Omar Ganiev announced via Twitter the availability of a “freshly patched” remote code execution vulnerability in PHP-FPM, the FastCGI Process Manager (FPM) for PHP.
The researchers also shared a link to the PoC code published on the GitHub repository.
The CVE-2019-11043 flaw doesn’t request specific skills to be exploited and take over servers, it is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. Thin means that the issue only impacts NGINX servers with PHP-FPM enabled.
The flaw was first reported to the PHP bug-tracker by security expert Emil Lerner on September 26, 2019 that also credited the researcher Andrew Danau for the issue. Danaudiscovered the vulnerability during a Capture The Flag competition in September 2019.
Lerner explained that the vulnerability could be exploited to gain remote code execution under certain configurations where a web server is using nginx and PHP-FPM,
“The PoC script included in the GitHub repository can query a target web server to identify whether or not it is vulnerable by sending specially crafted requests.” reads the analysis published by Tenable. “Once a vulnerable target has been identified, attackers can send specially crafted requests by appending “?a=” in the URL to a vulnerable web server.”
On October 24, PHP maintainers released PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) that addressed the CVE-2019-11043 vulnerability. Administrators using nginx with PHP-FPM urge to upgrade their installs as soon as possible.
The maintainers also suggested a workaround that consists in either by including the try_files directive or using an if statement, such as if (-f $uri).
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.