PHP-FPM Nginx Remote Code Execution Vulnerability (CVE-2019-11043)

October 2019

 

What is PHP-FPM Nginx Remote Code Execution Vulnerability (CVE-2019-11043)?

On October 21st, PHP Foundation released a security update (Sec Bug #78599) that fixes a critical remote code execution vulnerability in PHP-FPM enabled Nginx (CVE-2019-11043) affecting versions prior to  PHP 7.1.33, 7.2.x prior to 7.2.24, or 7.3.x prior to 7.3.11. The vulnerability was disclosed by security researchers Emil Lerner and Omar Ganiev on Twitter along with POC released publicly on github.

Vulnerability can be exploited under certain configurations where a web server is using nginx and PHP-FPM to gain remote code execution. These configurations require a certain set of preconditions to be fulfilled for it to be exploitable. These preconditions are:

  • The nginx location directive forwards requests to PHP-FPM
  • The fastcgi_split_path_info directive is present and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol
  • The fastcgi_param directive is used to assign the PATH_INFO variable
  • There are no checks in place to determine whether or not a file exists (e.g., using try_files or an if statement)

The said preconditions & configuration are not uncommon. Successful exploitation could allow an attacker to execute remote code and possibly gain access to a targeted system.

What are the risks?

PHP & Nginx are open source, matured and are widely being used in number of websites around the world where PHP powers 30% of all modern websites. But only NGINX servers are vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster).

The impact of this vulnerability narrows down to certain point since most Nginx configurations will be having file check and the default Nginx configuration will not be having this issue.

As multiple working POCs are available in public and no authentication is required to exploit the vulnerability makes the exploitation easy for anyone to attack.

Also surge in active attacks are observed in the wild after the disclosure of exploit in public.

Severity: Critical

CVSSv2:  Base   Score 10.0

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSSv3:  Base   Score 9.8

Vector: CVSS:3.0#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Do I need to worry about it?

Vendor has released security patch and we strongly advise customers to update their installations as soon as possible.

Mitigation:

Apply official security patches for affected versions of PHP 7.2.24 and 7.3.11.

Indusface Web Application Scanning (WAS) performs scans on the server and it can identify this vulnerability through non-intrusive remote network checks. Also our Vulnerability Audit can be used to detect the vulnerability CVE-2019-11043.

Indusface AppTrana/Total Application Security (TAS) platform protects against web application layer vulnerabilities being exploited by external traffic and will be able to protect this vulnerability by customized rules.