Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution

ITS Advisory Number: 
2015-083
Date(s) Issued: 
Wednesday, July 22, 2015
Subject: 
Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in PHP which could allow an attacker to potentially execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of a webserver. 

Systems Affected: 
  • PHP 5.4 prior to 5.4.43

  • PHP 5.5 prior to 5.5.27

  • PHP 5.6 prior to 5.6.11

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

PHP has released updates that address multiple vulnerabilities that could allow for arbitrary code execution. These vulnerabilities include:

Bug 69737 - A vulnerability exists in the spl_heap_object_storage() function when trying to deference memory that has already been freed.

Bug 69970 - A vulnerability exists in the spl_recursive_it_move_forward_ex () function when trying to deference memory that has already been freed.

 

Successful exploitation of this vulnerability may allow remote attackers to execute arbitrary code in the context of a webserver. Other bugs fixed in the PHP Core for these versions may be found below.

 

Version 5.4.43  

Bug 69768-escapeshell*() does not handle "!" as a special character.

Bug 69874 - cannot set empty additional_headers for mail() function.

Bug 69669 - mysqlnd is vulnerable to BACKRONYM. (CVE-2015-3152)

Versions 5.5.27

Bug 69768 - escapeshell*() does not handle "!" as a special character.

Bug 69732 - Basic PHP code can induce a segmentation fault.

Bug 69551 - parse_ini_file() function can crash with a segmentation fault.

Bug 69669 - mysqlnd is vulnerable to BACKRONYM. (CVE-2015-3152)

Versions 5.6.11

Bug 69768 - escapeshell*() does not handle "!" as a special character.

Bug 69732 - Basic PHP code can induce a segmentation fault

Bug 69551 - parse_ini_file() function can crash with a segmentation fault.

Bug 69874 - cannot set empty additional_headers for mail() function. 

Bug 69669 - mysqlnd is vulnerable to BACKRONYM. (CVE-2015-3152)

Actions: 
  • After appropriate testing, upgrade to the latest version of PHP immediately.

  • Apply the principle of Least Privilege to all systems and services.

  • Limit user account privileges to only those required.

References: 

">http://php.net/ChangeLog-5.php#5.4.43

">http://php.net/ChangeLog-5.php#5.5.27

">http://php.net/ChangeLog-5.php#5.6.11

 

CVE:

">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152