On October 21st, PHP Foundation released a security update (Sec Bug #78599) that fixes a critical remote code execution vulnerability in PHP-FPM enabled Nginx (CVE-2019-11043) affecting versions prior to PHP 7.1.33, 7.2.x prior to 7.2.24, or 7.3.x prior to 7.3.11. The vulnerability was disclosed by security researchers Emil Lerner and Omar Ganiev on Twitter along with POC released publicly on github.
Vulnerability can be exploited under certain configurations where a web server is using nginx and PHP-FPM to gain remote code execution. These configurations require a certain set of preconditions to be fulfilled for it to be exploitable. These preconditions are:
The said preconditions & configuration are not uncommon. Successful exploitation could allow an attacker to execute remote code and possibly gain access to a targeted system.
PHP & Nginx are open source, matured and are widely being used in number of websites around the world where PHP powers 30% of all modern websites. But only NGINX servers are vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster).
The impact of this vulnerability narrows down to certain point since most Nginx configurations will be having file check and the default Nginx configuration will not be having this issue.
As multiple working POCs are available in public and no authentication is required to exploit the vulnerability makes the exploitation easy for anyone to attack.
Also surge in active attacks are observed in the wild after the disclosure of exploit in public.
CVSSv2: Base Score 10.0
CVSSv3: Base Score 9.8
Vendor has released security patch and we strongly advise customers to update their installations as soon as possible.
Apply official security patches for affected versions of PHP 7.2.24 and 7.3.11.
Indusface Web Application Scanning (WAS) performs scans on the server and it can identify this vulnerability through non-intrusive remote network checks. Also our Vulnerability Audit can be used to detect the vulnerability CVE-2019-11043.
Indusface AppTrana/Total Application Security (TAS) platform protects against web application layer vulnerabilities being exploited by external traffic and will be able to protect this vulnerability by customized rules.