CVE-2019-11043

HIGH

Description

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

References

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html

http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html

http://seclists.org/fulldisclosure/2020/Jan/40

https://access.redhat.com/errata/RHSA-2019:3286

https://access.redhat.com/errata/RHSA-2019:3287

https://access.redhat.com/errata/RHSA-2019:3299

https://access.redhat.com/errata/RHSA-2019:3300

https://access.redhat.com/errata/RHSA-2019:3724

https://access.redhat.com/errata/RHSA-2019:3735

https://access.redhat.com/errata/RHSA-2019:3736

https://access.redhat.com/errata/RHSA-2020:0322

https://bugs.php.net/bug.php?id=78599

https://github.com/neex/phuip-fpizdam

https://lists.fedoraproject.org/archives/list/[email protected]/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/

https://lists.fedoraproject.org/archives/list/[email protected]/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/

https://lists.fedoraproject.org/archives/list/[email protected]/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/

https://seclists.org/bugtraq/2020/Jan/44

https://security.netapp.com/advisory/ntap-20191031-0003/

https://support.apple.com/kb/HT210919

https://support.f5.com/csp/article/K75408500?utm_source=f5support&utm_medium=RSS

https://usn.ubuntu.com/4166-1/

https://usn.ubuntu.com/4166-2/

https://www.debian.org/security/2019/dsa-4552

https://www.debian.org/security/2019/dsa-4553

https://www.synology.com/security/advisory/Synology_SA_19_36

Details

Source: MITRE

Published: 2019-10-28

Updated: 2020-08-18

Type: CWE-787

Risk Information

CVSS v2.0

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Tenable Plugins

View all (46 total)

ID	Name	Product	Family	Severity
138155	RHEL 7 : php (RHSA-2020:2835)	Nessus	Red Hat Local Security Checks	high
137966	EulerOS Virtualization 3.0.6.0 : php (EulerOS-SA-2020-1747)	Nessus	Huawei Local Security Checks	critical
136744	PHP Remote Code Execution Vulnerability (CVE-2019-11043).	Nessus	CGI abuses	high
134323	NewStart CGSL MAIN 4.05 : php Vulnerability (NS-SA-2020-0018)	Nessus	NewStart CGSL Local Security Checks	high
134199	SUSE SLES12 Security Update : php5 (SUSE-SU-2020:0522-1)	Nessus	SuSE Local Security Checks	high
133531	macOS 10.15.x < 10.15.3 / 10.14.x < 10.14.6 / 10.13.x < 10.13.6	Nessus	MacOS X Local Security Checks	critical
133446	RHEL 8 : php:7.2 (RHSA-2020:0322)	Nessus	Red Hat Local Security Checks	high
133087	NewStart CGSL CORE 5.05 / MAIN 5.05 : php Vulnerability (NS-SA-2020-0001)	Nessus	NewStart CGSL Local Security Checks	high
132812	EulerOS Virtualization for ARM 64 3.0.5.0 : php (EulerOS-SA-2020-1058)	Nessus	Huawei Local Security Checks	high
132184	EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)	Nessus	Huawei Local Security Checks	critical
131820	EulerOS 2.0 SP5 : php (EulerOS-SA-2019-2546)	Nessus	Huawei Local Security Checks	high
131732	PHP 7.4.x < 7.4.0 Multiple Vulnerabilities.	Nessus	CGI abuses	high
131592	EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)	Nessus	Huawei Local Security Checks	critical
131418	NewStart CGSL CORE 5.04 / MAIN 5.04 : php Vulnerability (NS-SA-2019-0214)	Nessus	NewStart CGSL Local Security Checks	high
131361	EulerOS 2.0 SP8 : php (EulerOS-SA-2019-2295)	Nessus	Huawei Local Security Checks	high
131271	Oracle Linux 8 : php:7.3 (ELSA-2019-3736)	Nessus	Oracle Linux Local Security Checks	high
131270	Oracle Linux 8 : php:7.2 (ELSA-2019-3735)	Nessus	Oracle Linux Local Security Checks	high
701235	PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code Execution	Nessus Network Monitor	Web Servers	high
130888	openSUSE Security Update : php7 (openSUSE-2019-2457)	Nessus	SuSE Local Security Checks	high
130758	Virtuozzo 7 : php / php-bcmath / php-cli / php-common / php-dba / etc (VZLSA-2019-3286)	Nessus	Virtuozzo Local Security Checks	high
130739	RHEL 8 : php:7.3 (RHSA-2019:3736)	Nessus	Red Hat Local Security Checks	high
130738	RHEL 8 : php:7.2 (RHSA-2019:3735)	Nessus	Red Hat Local Security Checks	high
130621	SUSE SLES12 Security Update : php72 (SUSE-SU-2019:2909-1)	Nessus	SuSE Local Security Checks	high
130617	FreeBSD : php -- env_path_info underflow in fpm_main.c can lead to RCE (6a7c2ab0-00dd-11ea-83ce-705a0f828759)	Nessus	FreeBSD Local Security Checks	high
130580	openSUSE Security Update : php7 (openSUSE-2019-2441)	Nessus	SuSE Local Security Checks	high
130499	Scientific Linux Security Update : php on SL6.x i386/x86_64 (20191031)	Nessus	Scientific Linux Local Security Checks	high
130497	Oracle Linux 6 : php (ELSA-2019-3287)	Nessus	Oracle Linux Local Security Checks	high
130482	Fedora 30 : php (2019-7bb07c3b02)	Nessus	Fedora Local Security Checks	high
130476	Fedora 29 : php (2019-187ae3128d)	Nessus	Fedora Local Security Checks	high
130474	CentOS 6 : php (CESA-2019:3287)	Nessus	CentOS Local Security Checks	high
130473	CentOS 7 : php (CESA-2019:3286)	Nessus	CentOS Local Security Checks	high
130471	Amazon Linux AMI : php71 / php72,php73,php56 (ALAS-2019-1315)	Nessus	Amazon Linux Local Security Checks	high
130470	Amazon Linux 2 : php (ALAS-2019-1344)	Nessus	Amazon Linux Local Security Checks	high
130447	Scientific Linux Security Update : php on SL7.x x86_64 (20191031)	Nessus	Scientific Linux Local Security Checks	high
130446	RHEL 6 : php (RHSA-2019:3287)	Nessus	Red Hat Local Security Checks	high
130445	RHEL 7 : php (RHSA-2019:3286)	Nessus	Red Hat Local Security Checks	high
130442	Oracle Linux 7 : php (ELSA-2019-3286)	Nessus	Oracle Linux Local Security Checks	high
130421	SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2019:2819-1)	Nessus	SuSE Local Security Checks	high
130411	Fedora 31 : php (2019-4adc49a476)	Nessus	Fedora Local Security Checks	high
130390	SUSE SLES12 Security Update : php7 (SUSE-SU-2019:2809-1)	Nessus	SuSE Local Security Checks	high
130362	Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : PHP vulnerability (USN-4166-1)	Nessus	Ubuntu Local Security Checks	high
130350	Debian DSA-4553-1 : php7.3 - security update	Nessus	Debian Local Security Checks	high
130349	Debian DSA-4552-1 : php7.0 - security update	Nessus	Debian Local Security Checks	high
130329	GLSA-201910-01 : PHP: Arbitrary code execution	Nessus	Gentoo Local Security Checks	high
130283	Debian DLA-1970-1 : php5 security update	Nessus	Debian Local Security Checks	high
130276	PHP < 7.1.33 / 7.2.x < 7.2.24 / 7.3.x < 7.3.11 Remote Code Execution Vulnerability.	Nessus	CGI abuses	high