⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-04-15.

CVE-2019-11043Classic Buffer Overflow in PHP

CWE-120Classic Buffer OverflowCWE-787Out-of-bounds Write21 documents16 sources
Severity
9.8CRITICALNVD
CNA8.7VulnCheck8.7
EPSS
94.1%
top 0.10%
CISA KEV
KEVRansomware
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
24
PHPTenable Tenable.scPhp5+21 more
Timeline
PublishedOct 28
KEV addedMar 25
KEV dueApr 15
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages9 packages

CVEListV5php/php7.1.x7.1.33+2
NVDphp/php7.1.07.1.33+2
NVDtenable/tenable.sc< 5.19.0
Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.29+esm6

Also affects: Debian Linux 10.0, 9.0, Fedora 29, 30, 31, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 19.04, 19.10, Enterprise Linux 8.0, 7.7, 8.1, 8.2, 8.4, 8.6, 8.8, 6.0, 7.0, 6.0_ppc64, 7.0_ppc64, 7.7_ppc64

Patches

Patch: bugs.php.netPatch: bugs.php.net

🔴Vulnerability Details

5
GHSA
GHSA-6qjm-m8fp-j2mm: In PHP versions 72022-05-24
CVEList
Underflow in PHP-FPM can lead to RCE2019-10-28
OSV
CVE-2019-11043: In PHP versions 72019-10-24
Kernel
powerpc/tm: Fix oops on sigreturn on systems without TM2019-07-19
VulnCheck
PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability2019

💥Exploits & PoCs

2
Exploit-DB
PHP-FPM - Underflow Remote Code Execution (Metasploit)2020-03-09
Exploit-DB
PHP-FPM + Nginx - Remote Code Execution2019-10-28

🔍Detection Rules

1
Suricata
ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)2019-10-23

📋Vendor Advisories

4
CISA
PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability2022-03-25
Ubuntu
PHP vulnerability2019-10-29
Ubuntu
PHP vulnerability2019-10-28
Red Hat
php: underflow in env_path_info in fpm_main.c2019-10-24

🕵️Threat Intelligence

2
Qualys
CVE‑2019‑11043: PHP Remote Code Execution Exploit | Qualys2019-10-30
Qualys
PHP Remote Code Execution Vulnerability (CVE-2019-11043)2019-10-30

📄Research Papers

1
CTF
solver / README2024

💬Community

4
HackerOne
CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm2020-11-09
HackerOne
Docker image with FPM is vulnerable to CVE-2019-110432020-03-14
Bugzilla
CVE-2019-11043 php: underflow in env_path_info in fpm_main.c [fedora-all]2019-10-28
Bugzilla
CVE-2019-11043 php: underflow in env_path_info in fpm_main.c2019-10-28