CVE-2018-7584
published 2018-03-01CVE-2018-7584: In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.88%
99.7th percentile
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_high_sierra_10.13.5_security_update_2018-003_sierra_security_update_2018-0 | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| php | php | <= 5.6.33 | — |
| php | php | >= 7.0.0 < 7.0.28 | 7.0.28 |
| php | php | 7.1.0 – 7.1.14 | — |
| php | php | 7.2.0 – 7.2.2 | — |
| php5 | php5 | >= 0 < 5.6.34-r0 | 5.6.34-r0 |
| php5 | php5 | >= 0 < 5.6.34-r0 | 5.6.34-r0 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.24 | 5.5.9+dfsg-1ubuntu4.24 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: a malformed HTTP response where the first line contains no '\r' before '\n' (e.g. payload bytes 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a) causes tmp_line_len to decrement to -1, resulting in an abnormally large string copy in php_stream_url_wrap_http_ex. ↗
- →Vulnerable function is php_stream_url_wrap_http_ex at http_fopen_wrapper.c line 723; monitor PHP processes making outbound HTTP requests to attacker-controlled servers returning crafted responses. ↗
- →Affected PHP versions: through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2. Detect these versions in your environment as unpatched targets. ↗
- →The PoC uses a netcat listener on port 8080 to serve the malformed HTTP response; watch for PHP processes connecting to non-standard HTTP ports (e.g. 8080) and receiving abnormally short/malformed response headers. ↗
- ·The stack-buffer under-read only manifests when PHP parses an HTTP response where the response line lacks a proper '\r\n' terminator; exploitation requires PHP to initiate an HTTP request (e.g. via file_get_contents, fopen wrappers) to an attacker-controlled server. ↗
- ·Under ASAN the bug produces a segfault/abort; on production (non-ASAN) builds the under-read may silently copy stack data, making crash-based detection unreliable. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2018-7584: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
vendor_apple·2018-06-01·CVSS 9.8
CVE-2018-7584 [CRITICAL] CVE-2018-7584: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
Product: macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
CVE: CVE-2018-7584
Component: AppleGraphicsPowerManagement
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved size validation.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2018-05-15·CVSS 6.1
CVE-2018-5712 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
USN-3600-1 fixed a vulnerability in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. (CVE-2018-5712)
It was discovered that PHP incorrectly handled parsing certain HTTP
responses. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2018-7584)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2018-03-19·CVSS 7.5
CVE-2016-10712 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain stream metadata. A
remote attacker could possibly use this issue to set arbitrary metadata.
This issue only affected Ubuntu 14.04 LTS. (CVE-2016-10712)
It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 17.10. (CVE-2018-5712)
It was discovered that PHP incorrectly handled parsing certain HTTP
responses. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2018-7584)
Instructions: In Ubuntu 16.04 LTS and U
Red Hat
php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing HTTP response
vendor_redhat·2018-02-20·CVSS 9.8
CVE-2018-7584 [CRITICAL] CWE-125 php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing HTTP response
php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing HTTP response
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 8) - Not affected
Package: rh-php56-php (Red Hat Software Collections) - Will not fix
Package: rh-php70-php (Red Hat Software Collections) - Will not fix
GHSA
GHSA-w5h8-6928-2j67: In PHP through 5
ghsa_unreviewed·2022-05-14
CVE-2018-7584 [CRITICAL] CWE-119 GHSA-w5h8-6928-2j67: In PHP through 5
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
OSV
php5, php7.0, php7.1 vulnerabilities
osv·2018-03-19·CVSS 7.5
CVE-2016-10712 [HIGH] php5, php7.0, php7.1 vulnerabilities
php5, php7.0, php7.1 vulnerabilities
It was discovered that PHP incorrectly handled certain stream metadata. A
remote attacker could possibly use this issue to set arbitrary metadata.
This issue only affected Ubuntu 14.04 LTS. (CVE-2016-10712)
It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 17.10. (CVE-2018-5712)
It was discovered that PHP incorrectly handled parsing certain HTTP
responses. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2018-7584)
OSV
CVE-2018-7584: In PHP through 5
osv·2018-03-01·CVSS 9.8
CVE-2018-7584 [CRITICAL] CVE-2018-7584: In PHP through 5
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
No detection rules found.
Bugzilla
CVE-2018-7584 php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing HTTP response
bugzilla·2018-03-02·CVSS 9.8
CVE-2018-7584 [CRITICAL] CVE-2018-7584 php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing HTTP response
CVE-2018-7584 php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing HTTP response
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
Upstream bug:
https://bugs.php.net/bug.php?id=75981
Upstream patch:
https://github.com/php/php-src/commit/523f230c831d7b33353203fa34aee4e92ac12bba
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1551040]
---
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7
Re
Bugzilla
CVE-2018-7584 php: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of service [fedora-all]
bugzilla·2018-03-02·CVSS 9.8
CVE-2018-7584 [CRITICAL] CVE-2018-7584 php: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of service [fedora-all]
CVE-2018-7584 php: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of service [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being f
Tenable
[R2] SecurityCenter 5.6.2.1 Fixes One Third-party Vulnerability
blogs_tenable·2018-04-05
[R2] SecurityCenter 5.6.2.1 Fixes One Third-party Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://php.net/ChangeLog-7.phphttp://www.securityfocus.com/bid/103204http://www.securitytracker.com/id/1041607https://access.redhat.com/errata/RHSA-2019:2519https://bugs.php.net/bug.php?id=75981https://github.com/php/php-src/commit/523f230c831d7b33353203fa34aee4e92ac12bbahttps://lists.debian.org/debian-lts-announce/2018/03/msg00030.htmlhttps://lists.debian.org/debian-lts-announce/2018/06/msg00005.htmlhttps://usn.ubuntu.com/3600-1/https://usn.ubuntu.com/3600-2/https://www.debian.org/security/2018/dsa-4240https://www.exploit-db.com/exploits/44846/https://www.tenable.com/security/tns-2018-03https://www.tenable.com/security/tns-2018-12http://php.net/ChangeLog-7.phphttp://www.securityfocus.com/bid/103204http://www.securitytracker.com/id/1041607https://access.redhat.com/errata/RHSA-2019:2519https://bugs.php.net/bug.php?id=75981https://github.com/php/php-src/commit/523f230c831d7b33353203fa34aee4e92ac12bbahttps://lists.debian.org/debian-lts-announce/2018/03/msg00030.htmlhttps://lists.debian.org/debian-lts-announce/2018/06/msg00005.htmlhttps://usn.ubuntu.com/3600-1/https://usn.ubuntu.com/3600-2/https://www.debian.org/security/2018/dsa-4240https://www.exploit-db.com/exploits/44846/https://www.tenable.com/security/tns-2018-03https://www.tenable.com/security/tns-2018-12
2018-03-01
Published