PHP 5.6.x < 5.6.25 / 7.0.x < 7.0.10 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9551

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP 5.6.x prior to 5.6.25 and 7.0.x prior to 7.0.10 are vulnerable to the following issues :

- An uninitialized memory use flaw exists in the 'openssl_seal()' method. This may allow a remote attacker to potentially execute arbitrary code.
- A use-after-free error exists in 'SPL_METHOD(SplObjectStorage)' in 'ext/spl/spl_observer.c'. The issue is triggered when handling unserialize calls. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists related to certificate validation in the 'ftp_ssl_connect()' function. The issue is due to the server hostname not being verified to match a domain name in the 'Subject's Common Name' (CN) or 'SubjectAltName' field of the X.509 certificate. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
- An overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- A flaw exists in the 'object_common2()' function in 'ext/standard/var_unserializer.c' that is triggered when handling objects during unserialization. This may allow a remote attacker to potentially execute arbitrary code.
- An integer overflow condition exists in the 'php_snmp_parse_oid()' function in 'ext/snmp/snmp.c'. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- An integer truncation flaw exists in the 'select_colors()' function in 'ext/gd/libgd/gd_topal.c' that is triggered when handling the number of colors. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- An integer overflow condition exists in the 'sql_regcase()' function in 'ext/ereg/ereg.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
- A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c' that is triggered during the handling of Base64 binary values. This may allow a remote attacker to cause a denial of service.
- A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c'. This may allow a remote attacker to cause a denial of service.
- An integer overflow condition exists in the 'php_base64_encode()' function in 'ext/standard/base64.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
- A NULL pointer dereference flaw exists in the 'php_wddx_deserialize_ex()' function in 'ext/wddx/wddx.c' that is triggered during the handling of invalid XML content. This may allow a remote attacker to cause a denial of service.
- An integer overflow condition exists in the 'php_quot_print_encode()' function in 'ext/standard/quot_print.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
- A use-after-free error exists in the 'unserialize()' function in 'ext/standard/var.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- A flaw exists in the 'php_ftp_fopen_connect()' function in 'ext/standard/ftp_fopen_wrapper.c' as it may silently downgrade to regular FTP even if a secure method has been requested. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the FTP communication.
- A flaw exists in the 'php_wddx_process_data()' function in 'ext/wddx/wddx.c' that is triggered when deserializing invalid dateTime values. This may allow a remote attacker to cause a crash.
- A flaw exists in the 'exif_process_IFD_in_TIFF()' function in 'ext/exif/exif.c' that is triggered when handling TIFF image content. This may allow a remote attacker to disclose memory contents.
- An integer overflow condition exists in the 'php_url_encode()' function in 'ext/standard/url.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
- An integer overflow condition exists in the 'php_uuencode()' function in 'ext/standard/uuencode.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
- An integer overflow condition exists in the 'bzdecompress()' function in 'ext/bz2/bz2.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
- An integer overflow condition exists in the 'zend_mm_realloc_heap()' function in 'Zend/zend_alloc.c' that is triggered as certain input is not properly validated. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
- An array indexing flaw exists in the 'imagegammacorrect()' function in 'ext/gd/gd.c' that is triggered when handling negative gamma values. This may allow a remote attacker to write a NULL to an arbitrary memory location, causing a crash or potentially allowing the execution of arbitrary code.
- An integer overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long escaped strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
- A flaw exists in 'ext/session/session.c' that is triggered when handling session names. This may allow a remote attacker to inject arbitrary data into sessions.

Solution

Upgrade to PHP version 7.0.10 or later. If 7.x cannot be obtained, 5.6.25 has also been patched for these vulnerabilities.

See Also

http://php.net/ChangeLog-5.php#5.6.25

http://php.net/ChangeLog-7.php#7.0.10

Plugin Details

Severity: High

ID: 9551

Family: Web Servers

Published: 2016/09/26

Updated: 2019/03/06

Dependencies: 8682, 9243

Nessus ID: 93077, 93078

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2016/08/18

Vulnerability Publication Date: 2016/08/03

Reference Information

CVE: CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7133, CVE-2016-7134

BID: 92552, 92757, 92758, 92764, 92765, 92766