CVE-2019-11043: PHP-FPM arbitrary code execution vulnerability alert

CVE-2019-11043 is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. The vulnerability was first reported to the PHP bug-tracker by security researcher Emil Lerner on September 26, 2019. Lerner also credits Andrew Danau, a security researcher at Wallarm, who identified the “anomaly” during a Capture The Flag competition in September 2019, and Ganiev for helping to finalize the php.ini options for the PoC.

What’s vulnerable

If a webserver runs Nginx + PHP-FPM and Nginx have a configuration like

which also lacks any script existence checks (like try_files), then you are probably vulnerable.

The full list of preconditions

  1. Nginx + PHP-FPM, location ~ [^/]\.php(/|$) must be forwarded to PHP-FPM.
  2. The fastcgi_split_path_info directive must be there and contain a regexp starting with ^ and ending with $, so we can break it with a newline character.
  3. There must be a PATH_INFO variable assignment via statement fastcgi_param PATH_INFO $fastcgi_path_info;. Note that it isn’t always present in the fastcgi_params file.
  4. No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, the code execution can’t be triggered. Adding this is also the easiest way to patch.
  5. The bug itself is present in earlier versions.

Fixes

Newest released PHP 7.1.33, 7.2.24, 7.3.11 fixed the bug, users are encouraged to upgrade to one these versions.

PHP 7.3.11 Released

The PHP development team announces the immediate availability of PHP 7.3.11. This is a security release which also contains several bug fixes.

All PHP 7.3 users are encouraged to upgrade to this version.

For source downloads of PHP 7.3.11 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

PHP 7.2.24 Released

The PHP development team announces the immediate availability of PHP 7.2.24. This is a security release which also contains several minor bug fixes.

All PHP 7.2 users are encouraged to upgrade to this version.

For source downloads of PHP 7.2.247 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

PHP 5.6.40 Released

The PHP development team announces the immediate availability of PHP 5.6.40. This is a security release. Several security bugs have been fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Please note that according to the PHP version support timelines, PHP 5.6.40 is the last scheduled release of PHP 5.6 branch. There may be additional release if we discover important security issues that warrant it, otherwise this release will be the final one in the PHP 5.6 branch. If your PHP installation is based on PHP 5.6, it may be a good time to start making the plans for the upgrade to PHP 7.1, PHP 7.2 or PHP 7.3.

PHP 7.3.1 Released

The PHP development team announces the immediate availability of PHP 7.3.1. This is a security release which also contains several bug fixes.

All PHP 7.3 users are encouraged to upgrade to this version.

PHP 7.2.14 Released

The PHP development team announces the immediate availability of PHP 7.2.14. This is a security release which also contains several minor bug fixes.

All PHP 7.2 users are encouraged to upgrade to this version.

PHP 7.0.25 Released

The PHP development team announces the immediate availability of PHP 7.0.25. This is a security release. Several security bugs were fixed in this release. All PHP 7.0 users are encouraged to upgrade to this version.

PHP 5.6.32 Released

The PHP development team announces the immediate availability of PHP 5.6.32. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

PHP 7.1.11 Released

The PHP development team announces the immediate availability of PHP 7.1.11. This is a bugfix release, with several bug fixes included. All PHP 7.1 users are encouraged to upgrade to this version.