SUBJECT: CVE-2019-11043 PHP Buffer Overflow Remote Code Execution Vulnerability
TECH STACK: PHP FPM v.7.3.10 and below
DATE(S) ISSUED: 10/28/2019
CRITICALITY: 9.8
OVERVIEW:
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain
configurations of FPM setup it is possible to cause FPM module to write past allocated
buffers into the space reserved for FCGI protocol data, thus opening the possibility of
remote code execution. Only servers with certain Nginx + PHP-FPM configurations are
exploitable.
THREAT INTELLIGENCE:
Exploit code for this vulnerability is publicly available and it is actively being exploited by
malicious actors.
SOLUTION:
PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) were released to address this
vulnerability along with other scheduled bug fixes. As only servers with a specific
nginx/PHP-FPM pair configuration are currently vulnerable, checking server versions and
ensuring this combination is not present is considered best practice. Those using nginx with
PHP-FPM are encouraged to upgrade to a patched version as soon as possible.
REFERENCES:
NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-11043
TrendMicro: PHP-FPM Vulnerability
Tenable Blog: CVE-2019-11043
