This vulnerability report details a series of critical security issues found in PHP versions prior to 5.4.42. The vulnerabilities span a range of problems from heap buffer overflows in the Perl-Compatible Regular Expression (PCRE) library, denial of service (DoS) in SQLite, security bypasses, to arbitrary command injection and more. These flaws represent a significant security risk, potentially allowing attackers to execute arbitrary code, bypass security restrictions, or cause a denial of service on affected systems.
Understanding the Vulnerabilities
-
Heap Buffer Overflows in PCRE: The identified heap buffer overflows in the PCRE library can be exploited by a remote attacker to execute arbitrary code or cause a DoS. These vulnerabilities arise due to improper input validation in the compile_branch() and pcre_compile2() functions (CVE-2015-2325, CVE-2015-2326).
-
Denial of Service in SQLite: Several DoS vulnerabilities were found in SQLite, affecting the handling of quotes in collation sequence names, the implementation of comparison operators, and floating-point conversions. These can be exploited to cause uninitialized memory access, invalid free operations, or stack-based buffer overflows (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416).
-
Security Bypass via File Extension Manipulation: This vulnerability allows attackers to bypass access restrictions by appending a NULL byte (\0) to a file name, tricking extensions into handling malicious files as safe (CVE-2015-4598).
-
Arbitrary Command Injection: A flaw in the php_escape_shell_arg() function allows for the injection of arbitrary OS commands via the escapeshellarg() PHP method (CVE-2015-4642).
-
Heap Buffer Overflow in ftp_genlist(): Improper validation in the ftp_genlist() function could lead to arbitrary code execution or DoS (CVE-2015-4643).
-
NULL Pointer Dereference in PostgreSQL Extension: A specific flaw in the PostgreSQL extension can lead to an application crash, representing a DoS vulnerability (CVE-2015-4644).
Mitigation Strategies
The only effective mitigation for these vulnerabilities is to upgrade to PHP version 5.4.42 or later. Such an upgrade will address the identified vulnerabilities by incorporating patches and security improvements. For systems that cannot be immediately upgraded, it is advisable to implement network-level security measures to limit exposure to potential attacks and to monitor affected systems for signs of compromise.
Conclusion
Given the critical severity of these vulnerabilities, it is paramount for administrators to promptly upgrade affected systems to a secure version of PHP. Failing to address these issues could leave web servers open to a variety of attacks, including arbitrary code execution, security bypass, and significant service disruptions.
