PHP 7.0.x < 7.0.15 Multiple Vulnerabilities

Critical Nessus Plugin ID 96800

Synopsis

The version of PHP running on the remote web server is affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.15. It is, therefore, affected by the following vulnerabilities :

- A remote code execution vulnerability exists due to a use-after-free error in the unserialize() function that is triggered when using DateInterval input. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in a denial of service condition or the execution of arbitrary code.
(CVE-2015-2787)

- A use-after-free error exists that is triggered when handling unserialized object properties. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.
(CVE-2016-7479)

- An integer overflow condition exists in the
_zend_hash_init() function in zend_hash.c due to improper validation of unserialized objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-5340)

- A floating pointer exception flaw exists in the exif_convert_any_to_int() function in exif.c that is triggered when handling TIFF and JPEG image tags. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10158)

- An integer overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper validation when handling phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10159)

- An off-by-one overflow condition exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10160)

- An out-of-bounds read error exists in the finish_nested_data() function in var_unserializer.c due to improper validation of unserialized data. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition or the disclosure of memory contents.
(CVE-2016-10161)

- A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2016-10162)

- An signed integer overflow condition exists in gd_io.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact.

- A type confusion flaw exists that is triggered during the deserialization of specially crafted GMP objects. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition.

- A type confusion error exists that is triggered when deserializing ZVAL objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

- A denial of service vulnerability exists in the bundled GD Graphics Library (LibGD) in the gdImageCreateFromGd2Ctx() function in gd_gd2.c due to improper validation of images. An unauthenticated, remote attacker can exploit this, via a specially crafted image, to crash the process. (CVE-2016-10167)

- An integer overflow condition exists in the gd_io.c script of the GD Graphics Library (libgd). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-10168)

- An out-of-bounds read error exists in the phar_parse_pharfile() function in phar.c due to improper parsing of phar archives. An unauthenticated, remote attacker can exploit this to cause a crash, resulting in a denial of service condition. (CVE-2017-11147)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to PHP version 7.0.15 or later.

See Also

http://php.net/ChangeLog-7.php#7.0.15

Plugin Details

Severity: Critical

ID: 96800

File Name: php_7_0_15.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 2017/01/26

Updated: 2019/03/27

Dependencies: 48243

Risk Information

Risk Factor: Critical

CVSS Score Source: manual

CVSS Score Rationale: Score based on analysis of the vendor advisory.

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Required KB Items: www/PHP

Exploit Available: false

Exploit Ease: No exploit is required

Patch Publication Date: 2017/01/19

Vulnerability Publication Date: 2015/03/17

Reference Information

CVE: CVE-2015-2787, CVE-2016-7479, CVE-2017-5340, CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161, CVE-2016-10162, CVE-2016-10167, CVE-2016-10168, CVE-2017-11147

BID: 73431, 95151, 95371, 95668, 95764, 95768, 95774, 95783, 95869, 99607