Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution
ITS ADVISORY NUMBER:
2020-011
DATE(S) ISSUED:
Friday, January 24, 2020
SUBJECT:
Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution
OVERVIEW:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for arbitrary code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.
THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
- PHP 7.2 Prior to Version 7.2.27
- PHP 7.3 Prior to Version 7.3.14
- PHP 7.4 Prior to Version 7.4.2
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Business:
Large and medium business entities: High
Small business entities: High
Home Users: Low
DESCRIPTION:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as below:
Version 7.2.27
-
Bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060)
-
Bug #79091 (heap use-after-free in session_create_id())
-
Bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)
Version 7.3.14
-
Bug #78999 (Cycle leak when using function result as temporary)
-
Bug #79033 (Curl timeout error with specific url and post)
-
Bug #79015 (undefined-behavior in php_date.c)
-
Bug #78808 ([LMDB] MDB_MAP_FULL: Environment mapsize limit reached)
-
Bug #74170 (locale information change after mime_content_type)
-
Bug #78923 (Artifacts when convoluting image with transparency)
-
Bug #79067 (gdTransformAffineCopy() may use unitialized values)
-
Bug #79068 (gdTransformAffineCopy() changes interpolation method)
-
Bug #79029 (Use After Free's in XMLReader / XMLWriter)
-
Bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
-
Bug #79040 (Warning Opcode handlers are unusable due to ASLR)
-
Bug #78402 (Converting null to string in error message is bad DX)
-
Bug #78983 (pdo_pgsql config.w32 cannot find libpq-fe.h)
-
Bug #78980 (pgsqlGetNotify() overlooks dead connection)
-
Bug #78982 (pdo_pgsql returns dead persistent connection)
-
Bug #79091 (heap use-after-free in session_create_id())
-
Bug #78538 (shmop memory leak)
-
Bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)
-
Bug #54298 (Using empty additional_headers adding extraneous CRLF)
Version 7.4.2
-
Bug #79022 (class_exists returns True for classes that are not ready to be used)
-
Bug #78929 (plus signs in cookie values are converted to spaces)
-
Bug #78973 (Destructor during CV freeing causes segfault if online never saved)
-
Bug #78776 (Abstract method implementation from trait does not check "static")
-
Bug #78999 (Cycle leak when using function result as temporary)
-
Bug #79008 (General performance regression with PHP 7.4 on Windows)
-
Bug #79002 (Serializing uninitialized typed properties with __sleep makes unserialize throw)
-
Bug #79033 (Curl timeout error with specific url and post)
-
Bug #79063 (curl openssl does not respect PKG_CONFIG_PATH)
-
Bug #79015 (undefined-behavior in php_date.c)
-
Bug #78808 ([LMDB] MDB_MAP_FULL: Environment mapsize limit reached)
-
Bug #79046 (NaN to int cast undefined behavior in exif)
-
Bug #74170 (locale information change after mime_content_type)
-
Bug #79067 (gdTransformAffineCopy() may use unitialized values)
-
Bug #79068 (gdTransformAffineCopy() changes interpolation method)
-
Bug #79029 (Use After Free's in XMLReader / XMLWriter)
-
Bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060)
-
Bug #78961 (erroneous optimization of re-assigned $GLOBALS)
-
Bug #78950 (Preloading trait method with static variables)
-
Bug #78903 (Conflict in RTD key for closures results in crash)
-
Bug #78986 (Opcache segfaults when inheriting ctor from immutable into mutable class)
-
Bug #79040 (Warning Opcode handlers are unusable due to ASLR)
-
Bug #79055 (Typed property become unknown with OPcache file cache)
-
Bug #78402 (Converting null to string in error message is bad DX)
-
Bug #78983 (pdo_pgsql config.w32 cannot find libpq-fe.h)
-
Bug #78980 (pgsqlGetNotify() overlooks dead connection)
-
Bug #78982 (pdo_pgsql returns dead persistent connection)
-
Bug #79091 (heap use-after-free in session_create_id())
-
Bug #79031 (Session unserialization problem)
-
Bug #78538 (shmop memory leak)
-
Bug #79056 (sqlite does not respect PKG_CONFIG_PATH during compilation)
-
Bug #78976 (SplFileObject::fputcsv returns -1 on failure)
-
Bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)
-
Bug #79000 (Non-blocking socket stream reports EAGAIN as error)
-
Bug #54298 (Using empty additional_headers adding extraneous CRLF)
Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.
ACTIONS:
- Verify no unauthorized system modifications have occurred on system before applying patch.
- After appropriate testing, immediately apply the latest upgraded version of PHP.
- Apply the principle of Least Privilege to all systems and services.
- Remind users not to visit websites or follow links provided by unknown or untrusted sources.
REFERENCES:
PHP:
https://www.php.net/ChangeLog-7.php#7.2.27
https://www.php.net/ChangeLog-7.php#7.3.14
https://www.php.net/ChangeLog-7.php#7.4.2