Wallarm experts talked about the RCE vulnerability found in PHP 7 that is the new branch of PHP. Vulnerability in PHP7 threatens the security of nginx servers.
The problem has the identifier CVE-2019-11043 and it allows an attacker to execute arbitrary commands on vulnerable servers, simply by accessing a specially crafted URL.“The reason for this issue is under the hood of the Nginx+fastcgi bundle, in particular, in a fastcgi_split_path directive and a regexp tricks with newlines. Because of %0a character, Nginx will set an empty value to this variable, and fastcgi+PHP will not expect this. Because of some black magic spells with hash tables it was possible to put arbitrary FastCGI variables, like PHP_VALUE”, — explain Wallarm experts.
A PoC exploit for this vulnerability is already available on GitHub, and its operation does not require deep technical knowledge and serious preparation. The exploit checks the target server for vulnerabilities, and then sends specially crafted requests to it, adding “? A =” to the URL.
Read also: Cybercriminals still use Metasploit to bypass modern defense mechanisms
Researchers explain that the problem CVE-2019-11043, fortunately, is a threat only for PHP-enabled web servers and only for nginx servers supporting PHP-FPM or FastCGI Process Manager, an alternative implementation of PHP FastCGI with some additional features. Moreover, operation of the bug will require compliance with a number of conditions.
Although PHP-FPM is not a standard component of Nginx, although some hosting providers include it in their standard environments. For example, Nextcloud provider has already issued a warning for its customers, urging them to update PHP as soon as possible to versions 7.3.11 and 7.2.24, where CVE-2019-11043 has already been fixed.
However, Nextcloud is just one of many vulnerabilities. Due to the availability of a ready-made PoC exploit and ease of use of the vulnerability, website owners are advised to check the server settings and not delay the PHP update.
Without patching, this issue may become a dangerous entry point into your web applications, most of which run on PHP infrastructure. To check if your systems might be vulnerable, you can simply execute the following bash command. It can identify vulnerable FastCGI directive in your Nginx configs:
egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/
If you found similar lines, you need to apply virtual patch until an official PHP security update.