CVE-2019-11043: PHP-FPM arbitrary code execution vulnerability alert

CVE-2019-11043 is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. The vulnerability was first reported to the PHP bug-tracker by security researcher Emil Lerner on September 26, 2019. Lerner also credits Andrew Danau, a security researcher at Wallarm, who identified the “anomaly” during a Capture The Flag competition in September 2019, and Ganiev for helping to finalize the php.ini options for the PoC.

What’s vulnerable

If a webserver runs Nginx + PHP-FPM and Nginx have a configuration like

which also lacks any script existence checks (like try_files), then you are probably vulnerable.

The full list of preconditions

  1. Nginx + PHP-FPM, location ~ [^/]\.php(/|$) must be forwarded to PHP-FPM.
  2. The fastcgi_split_path_info directive must be there and contain a regexp starting with ^ and ending with $, so we can break it with a newline character.
  3. There must be a PATH_INFO variable assignment via statement fastcgi_param PATH_INFO $fastcgi_path_info;. Note that it isn’t always present in the fastcgi_params file.
  4. No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, the code execution can’t be triggered. Adding this is also the easiest way to patch.
  5. The bug itself is present in earlier versions.

Fixes

Newest released PHP 7.1.33, 7.2.24, 7.3.11 fixed the bug, users are encouraged to upgrade to one these versions.