Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution

ITS Advisory Number: 
2016-015
Date(s) Issued: 
Friday, January 22, 2016
Subject: 
Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in PHP which could allow an attacker to execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of a webserver.

Systems Affected: 
  • PHP 7.0 prior to 7.0.2

  • PHP 5.6 prior to 5.6.17

  • PHP 5.5 prior to 5.5.31

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

PHP has released updates that address multiple vulnerabilities that could allow for arbitrary code execution. These vulnerabilities include:

Prior to 7.0.2;

  • Bug 71270 (Heap buffer-overflow in escapeshell functions). (CVE-2016-1904)

Prior to 5.6.17 and 5.5.31;

  • Bug 70661 - A vulnerability exists in the 'zval_ptr_dtor()' function of the 'wddx/wddx.c' source file. Exploit of this issue can be performed by sending specially crafted 'recordset'.

  • Bug 70741 - A vulnerability exists in the 'php_wddx_deserialize_ex()' function when performing deserialization on string-type 'ZVAL'.

Other bugs fixed in the PHP Core for these versions may be found below;

  • Bug 66909 (configure fails utf8_to_mutf7 test).
  • Bug 70958 (Invalid opcode while using ::class as trait method paramater default value).
  • Bug 70957 (self::class cannot be resolved with reflection for abstract class).
  • Bug 70944 (try{ } finally{} can create infinite chains of exceptions).
  • Bug 61751 (SAPI build problem on AIX: Undefined symbol: php_register_internal_extensions).
  • Bug 70755 (fpm_log.c memory leak and buffer overflow).
  • Bug 70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds). (CVE-2016-1903)
  • Bug 68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
  • Bug 70900 (SoapClient systematic out of memory error).
  • Bug 70960 (ReflectionFunction for array_unique returns wrong number of parameters).
  • Bug 60052 (Integer returned as a 64bit integer on X64_86).
  • Bug 70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker()).

Successful exploitation of these vulnerabilities may allow remote attackers to execute arbitrary code in the context of the webserver.

Actions: 
  • Upgrade to the latest version of PHP immediately, after appropriate testing.

  • Apply the principle of Least Privilege to all systems and services.

  • Limit user account privileges to only those required.