Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution

ITS Advisory Number: 
2016-198
Date(s) Issued: 
Monday, November 14, 2016
Subject: 
Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code, with failed exploit attempts potentially leading to denial of service conditions. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow for remote attackers to execute arbitrary code in the context of the affected application. Failed exploitation could result in a denial-of-service condition.

Systems Affected: 
  • PHP 7 prior to 7.0.13

  • PHP 5 prior to 5.6.28

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

PHP has released updates that address multiple vulnerabilities, the most severe of which could allow for arbitrary code execution. These vulnerabilities include:

Prior to 7.0.13:

  • Bug (Exception::__toString() cause circular references).

  • Bug (parse_str() without a second argument leads to crash).

  • Bug (Autoload with Opcache allows importing conflicting class name to namespace).

  • Bug ((Sub-)Namespaces unexpected behavior).

  • Bug (try/catch not working with two exceptions inside a same operation).

  • Bug (Exception thrown from error handler causes valgrind warnings (and crashes)).

  • Bug ((Float)"Nano" == NAN).

  • Bug (Integer overflow in imageline() with antialiasing).

  • Bug (imagescale() is not affected by, but affects imagesetinterpolation()).

  • Bug (Integer overflow in gdImageScaleBilinearPalette()).

  • Bug (Stack Buffer Overflow in GD dynamicGetbuf).

  • Bug (Ilegal write/read access caused by gdImageAALine overflow).

  • Bug (imagefilltoborder stackoverflow on truecolor images).

  • Bug (Integer Overflow in "_php_imap_mail" leads to crash).

  • Bug (Bind reference overwritten on PHP 7).

  • Bug (Simple SIGINT does not have any effect with -rr).

  • Bug (INI files are loaded even invoked as -n --version).

  • Bug (session_unset() empties values from all variables in which is $_session stored).

  • Bug (SoapServer reports Bad Request when gzipped).

  • Bug (Nested object in "any" element overwrites other fields).

  • Bug (Peer verification fails when using a proxy with SoapClient).

  • Bug (2147483647 is fetched as string).

  • Bug (passing additional_parameters causes mail to fail).

  • Bug (array_replace_recursive sometimes mutates its parameters).

  • Bug (parse_url return wrong hostname).

  • Bug (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow).



Prior to 5.6.28:

  • Bug (try/catch not working with two exceptions inside a same operation).

  • Bug (crash in bzcompress function).

  • Bug (Integer overflow in imageline() with antialiasing).

  • Bug (imagescale() is not affected by, but affects imagesetinterpolation()).

  • Bug (Integer overflow in gdImageScaleBilinearPalette()).

  • Bug (Stack Buffer Overflow in GD dynamicGetbuf).

  • Bug (Illegal write/read access caused by gdImageAALine overflow).

  • Bug (imagefilltoborder stackoverflow on truecolor images).

  • Bug (Integer Overflow in "_php_imap_mail" leads Heap Overflow).

  • Bug (Use-after-free in ArrayObject Deserialization).

  • Bug (SoapServer reports Bad Request when gzipped).

  • Bug (2147483647 is fetched as string).

  • Bug (passing additional_parameters causes mail to fail).

  • Bug (use after free in userspace streams).

  • Bug (parse_url return wrong hostname).

  • Bug (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow)

Successfully exploiting the most severe of these vulnerabilities could allow for remote attackers to execute arbitrary code in the context of the affected application. Failed exploitation could result in a denial-of-service condition.

Actions: 
  • After appropriate testing upgrade to the latest version of PHP.

  • Apply the principle of Least Privilege to all systems and services.

  • Verify no unauthorized system modifications have occurred on system before applying patch.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Do not open email attachments from unknown or untrusted sources.

  • Limit user account privileges to only those required.