CVE-2019-11043

HIGH

Description

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

References

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html

http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html

http://seclists.org/fulldisclosure/2020/Jan/40

https://access.redhat.com/errata/RHSA-2019:3286

https://access.redhat.com/errata/RHSA-2019:3287

https://access.redhat.com/errata/RHSA-2019:3299

https://access.redhat.com/errata/RHSA-2019:3300

https://access.redhat.com/errata/RHSA-2019:3724

https://access.redhat.com/errata/RHSA-2019:3735

https://access.redhat.com/errata/RHSA-2019:3736

https://access.redhat.com/errata/RHSA-2020:0322

https://bugs.php.net/bug.php?id=78599

https://github.com/neex/phuip-fpizdam

https://lists.fedoraproject.org/archives/list/[email protected]/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/

https://lists.fedoraproject.org/archives/list/[email protected]/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/

https://lists.fedoraproject.org/archives/list/[email protected]/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/

https://seclists.org/bugtraq/2020/Jan/44

https://security.netapp.com/advisory/ntap-20191031-0003/

https://support.apple.com/kb/HT210919

https://support.f5.com/csp/article/K75408500?utm_source=f5support&utm_medium=RSS

https://usn.ubuntu.com/4166-1/

https://usn.ubuntu.com/4166-2/

https://www.debian.org/security/2019/dsa-4552

https://www.debian.org/security/2019/dsa-4553

https://www.synology.com/security/advisory/Synology_SA_19_36

Details

Source: MITRE

Published: 2019-10-28

Updated: 2020-08-18

Type: CWE-787

Risk Information

CVSS v2.0

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Tenable Plugins

View all (49 total)

IDNameProductFamilySeverity
145689CentOS 8 : php:7.3 (CESA-2019:3736)NessusCentOS Local Security Checks
high
145659CentOS 8 : php:7.2 (CESA-2019:3735)NessusCentOS Local Security Checks
high
144531Virtuozzo 6 : php / php-bcmath / php-cli / php-common / php-dba / etc (VZLSA-2019-3287)NessusVirtuozzo Local Security Checks
high
138155RHEL 7 : php (RHSA-2020:2835)NessusRed Hat Local Security Checks
high
137966EulerOS Virtualization 3.0.6.0 : php (EulerOS-SA-2020-1747)NessusHuawei Local Security Checks
critical
136744PHP Remote Code Execution Vulnerability (CVE-2019-11043).NessusCGI abuses
high
134323NewStart CGSL MAIN 4.05 : php Vulnerability (NS-SA-2020-0018)NessusNewStart CGSL Local Security Checks
high
134199SUSE SLES12 Security Update : php5 (SUSE-SU-2020:0522-1)NessusSuSE Local Security Checks
high
133531macOS 10.15.x < 10.15.3 / 10.14.x < 10.14.6 / 10.13.x < 10.13.6NessusMacOS X Local Security Checks
critical
133446RHEL 8 : php:7.2 (RHSA-2020:0322)NessusRed Hat Local Security Checks
high
133087NewStart CGSL CORE 5.05 / MAIN 5.05 : php Vulnerability (NS-SA-2020-0001)NessusNewStart CGSL Local Security Checks
high
132812EulerOS Virtualization for ARM 64 3.0.5.0 : php (EulerOS-SA-2020-1058)NessusHuawei Local Security Checks
high
132184EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)NessusHuawei Local Security Checks
critical
131820EulerOS 2.0 SP5 : php (EulerOS-SA-2019-2546)NessusHuawei Local Security Checks
high
131732PHP 7.4.x < 7.4.0 Multiple Vulnerabilities.NessusCGI abuses
high
131592EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)NessusHuawei Local Security Checks
critical
131418NewStart CGSL CORE 5.04 / MAIN 5.04 : php Vulnerability (NS-SA-2019-0214)NessusNewStart CGSL Local Security Checks
high
131361EulerOS 2.0 SP8 : php (EulerOS-SA-2019-2295)NessusHuawei Local Security Checks
high
131271Oracle Linux 8 : php:7.3 (ELSA-2019-3736)NessusOracle Linux Local Security Checks
high
131270Oracle Linux 8 : php:7.2 (ELSA-2019-3735)NessusOracle Linux Local Security Checks
high
701235PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code ExecutionNessus Network MonitorWeb Servers
high
130888openSUSE Security Update : php7 (openSUSE-2019-2457)NessusSuSE Local Security Checks
high
130758Virtuozzo 7 : php / php-bcmath / php-cli / php-common / php-dba / etc (VZLSA-2019-3286)NessusVirtuozzo Local Security Checks
high
130739RHEL 8 : php:7.3 (RHSA-2019:3736)NessusRed Hat Local Security Checks
high
130738RHEL 8 : php:7.2 (RHSA-2019:3735)NessusRed Hat Local Security Checks
high
130621SUSE SLES12 Security Update : php72 (SUSE-SU-2019:2909-1)NessusSuSE Local Security Checks
high
130617FreeBSD : php -- env_path_info underflow in fpm_main.c can lead to RCE (6a7c2ab0-00dd-11ea-83ce-705a0f828759)NessusFreeBSD Local Security Checks
high
130580openSUSE Security Update : php7 (openSUSE-2019-2441)NessusSuSE Local Security Checks
high
130499Scientific Linux Security Update : php on SL6.x i386/x86_64 (20191031)NessusScientific Linux Local Security Checks
high
130497Oracle Linux 6 : php (ELSA-2019-3287)NessusOracle Linux Local Security Checks
high
130482Fedora 30 : php (2019-7bb07c3b02)NessusFedora Local Security Checks
high
130476Fedora 29 : php (2019-187ae3128d)NessusFedora Local Security Checks
high
130474CentOS 6 : php (CESA-2019:3287)NessusCentOS Local Security Checks
high
130473CentOS 7 : php (CESA-2019:3286)NessusCentOS Local Security Checks
high
130471Amazon Linux AMI : php71 / php72,php73,php56 (ALAS-2019-1315)NessusAmazon Linux Local Security Checks
high
130470Amazon Linux 2 : php (ALAS-2019-1344)NessusAmazon Linux Local Security Checks
high
130447Scientific Linux Security Update : php on SL7.x x86_64 (20191031)NessusScientific Linux Local Security Checks
high
130446RHEL 6 : php (RHSA-2019:3287)NessusRed Hat Local Security Checks
high
130445RHEL 7 : php (RHSA-2019:3286)NessusRed Hat Local Security Checks
high
130442Oracle Linux 7 : php (ELSA-2019-3286)NessusOracle Linux Local Security Checks
high
130421SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2019:2819-1)NessusSuSE Local Security Checks
high
130411Fedora 31 : php (2019-4adc49a476)NessusFedora Local Security Checks
high
130390SUSE SLES12 Security Update : php7 (SUSE-SU-2019:2809-1)NessusSuSE Local Security Checks
high
130362Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : PHP vulnerability (USN-4166-1)NessusUbuntu Local Security Checks
high
130350Debian DSA-4553-1 : php7.3 - security updateNessusDebian Local Security Checks
high
130349Debian DSA-4552-1 : php7.0 - security updateNessusDebian Local Security Checks
high
130329GLSA-201910-01 : PHP: Arbitrary code executionNessusGentoo Local Security Checks
high
130283Debian DLA-1970-1 : php5 security updateNessusDebian Local Security Checks
high
130276PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code Execution Vulnerability.NessusCGI abuses
high