Multiple Vulnerabilities in PHP Discovered

Multiple Vulnerabilities in PHP Discovered

A cybersecurity advisory was issued Monday, May 18, 2020, regarding multiple vulnerabilities in PHP. The vulnerabilities could allow an attacker to crash the PHP process, possibly causing a denial-of-service condition once the process stops running.

What It Is:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for a denial-of-service condition. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Successfully exploiting the most severe of these vulnerabilities could allow an attacker to crash the PHP process. This could allow for a denial-of-service condition once the process stops running.

Read the original PHP ChangeLogs below for more information:

Version 7.2.31
Version 7.3.18
Version 7.4.6

Threat Intelligence:
There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected:

• PHP 7.2 Prior to Version 7.2.31
• PHP 7.3 Prior to Version 7.3.18
• PHP 7.4 Prior to Version 7.4.6

Risk:
Government:
• Large and medium government entities: High
• Small government entities: High
Businesses:
• Large and medium business entities: High
• Small business entities: High
Home users: Low

What It Means:
If you and/or your business utilize the PHP versions mentioned above, you will need to upgrade to the latest version of PHP following proper testing.

Technical Summary:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as below:

Version 7.2.30
• Bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).
• Bug #79330 (shell_exec() silently truncates after a null byte).
• Bug #79465 (OOB Read in urldecode()).

Version 7.3.17
• Bug #79364 (When copy empty array, next key is unspecified).
• Bug #78210 (Invalid pointer address).
• Bug #79199 (curl_copy_handle() memory leak).
• Bug #79396 (DateTime hour incorrect during DST jump forward).
• Bug #79200 (Some iconv functions cut Windows-1258).
• Bug #79412 (Opcache chokes and uses 100% CPU on specific script).
• Bug #79413 (session_create_id() fails for active sessions).
• Bug #79427 (Integer Overflow in shmop_open()).
• Bug #61597 (SXE properties may lack attributes and content).
• Bug #75673 (SplStack::unserialize() behavior).
• Bug #79393 (Null coalescing operator failing with SplFixedArray).
• Bug #79330 (shell_exec() silently truncates after a null byte).
• Bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
• Bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline).
• Bug #79296 (ZipArchive::open fails on empty file).
• Bug #79424 (php_zip_glob uses gl_pathc after call to globfree).

Version 7.3.18
• Bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
• Bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
• Bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant).
• Bug #79477 (casting object into array creates references).
• Bug #79470 (PHP incompatible with 3rd party file system on demand).
• Bug #78784 (Unable to interact with files inside a VFS for Git repository).
• Bug #78221 (DOMNode::normalize() doesn't remove empty text nodes).
• Bug #79491 (Search for .user.ini extends up to root dir).
• Bug #79441 (Segfault in mb_chr() if internal encoding is unsupported).
• Bug #79497 (stream_socket_client() throws an unknown error sometimes with <1s timeout).
• Bug #79503 (Memory leak on duplicate metadata).
• Bug #79528 (Different object of the same xml between 7.4.5 and 7.4.4).
• Bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).

Version 7.4.5
• Bug #79364 (When copy empty array, next key is unspecified).
• Bug #78210 (Invalid pointer address).
• Bug #79199 (curl_copy_handle() memory leak).
• Bug #79396 (DateTime hour incorrect during DST jump forward).
• Bug #74940 (DateTimeZone loose comparison always true).
• Bug #79200 (Some iconv functions cut Windows-1258).
• Bug #79412 (Opcache chokes and uses 100% CPU on specific script).
• Bug #79413 (session_create_id() fails for active sessions).
• Bug #79427 (Integer Overflow in shmop_open()).
• Bug #61597 (SXE properties may lack attributes and content).
• Bug #79357 (SOAP request segfaults when any request parameter is missing).
• Bug #75673 (SplStack::unserialize() behavior).
• Bug #79393 (Null coalescing operator failing with SplFixedArray).
• Bug #79330 (shell_exec() silently truncates after a null byte).
• Bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline).
• Bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
• Bug #79296 (ZipArchive::open fails on empty file).
• Bug #79424 (php_zip_glob uses gl_pathc after call to globfree).

What To Do:
We recommend the following actions be taken:

• Upgrade to the latest version of PHP immediately, after appropriate testing.
• Verify no unauthorized system modifications have occurred on the system before applying the patch.
• Apply the Principle of Least Privilege to all systems and services.
• Remind users not to visit websites or follow links provided by unknown or untrusted sources.

Negative Consequences of Lost or Stolen Data:
The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

• Temporary or permanent loss of sensitive or proprietary information.
• Disruption to regular operations.
• Financial losses incurred to restore systems and files.
• Potential harm to an organization’s reputation.

Should your agency or business need assistance with issues arising from vulnerabilities in PHP including updates and/or patches, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.

Thank you for your time and stay safe online.