PHP RCE flaw actively exploited to pop NGINX servers

A recently patched vulnerability (CVE-2019-11043) in PHP is being actively exploited by attackers to compromise NGINX web servers, threat intelligence firm Bad Packets has confirmed.

CVE-2019-11043

For a successful exploitation, target servers must have the PHP-FPM (FastCGI Process Manager) feature enabled, but that combination is not as uncommon as initially believed.

About CVE-2019-11043

The flaw was discovered by Wallarm researcher Andrew Danau during a Capture The Flag contest that took place in September 2019.

The PHP Development Team was notified about the vulnerability that same month and patched it in PHP versions 7.3.11, 7.2.24 and 7.1.33 (released last week).

A few days before that, PoC exploit code for the flaw – created by Danau’s fellow CTF players and researchers Emil Lerner and Omar Ganiev – was published on GitHub.

As noted by Lerner, it works only on PHP 7 and later (though others could find a way to adapt it to work on PHP versions 5 and later). It first queries a web server to see it’s vulnerable and, if it is, attackers can send specially crafted requests (with commands) to it:

Technical details about the buffer underflow bug can be found in Wallarm’s blog post as well as the bug entry in the PHP bug tracker.

The crucial thing is that, if certains preconditions are met, the flaw and the PoC could be used to achieve remote code execution on vulnerable servers.

Advice for admins

As noted before, only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM is a feature that allows servers to execute scripts faster.

There are many NGNIX-based web servers and PHP 7-based websites out there: according to W3Techs, NGINX is used by 30.6% of all the websites whose web server they know. A third of all websites are using various versions of PHP 7.

And while PHP-FPM isn’t a core component in NGINX installs, web hosting providers usually include it in their standard PHP environments and/or recommend the vulnerable configuration, meaning that there could be quite a few vulnerable servers out there.

Since exploitation is trivial, admins are advised to check whether their servers are vulnerable by executing a simple bash command:

egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/

If they are, they should upgrade their PHP version to one that’s not vulnerable. If that’s not possible, the issue can be mitigated through WAF filtering (more details here).

Once that’s done, they should check whether unauthorized modifications have occurred on the system(s) before they were able to apply the patch or the mitigations.

NGINX admins that run PHP7 without PHP-FPM should also upgrade to the latest stable versions offered, as they fix many other bugs and security issues.

Trend Micro and Tenable researchers have offered additional advice and best security practices for deterring threats or intrusions that exploit the vulnerability.

Don't miss