External risk intelligence

PHP-FPM Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2019-11043

A vulnerability in PHP-FPM, under specific Nginx configurations, allows remote code execution. This could impact organizations by enabling attackers to compromise systems and data. The realistic business risk involves potential unauthorized access and control over affected web infrastructure.

4Halo Surface Signal

Buffer Overflow

Php

7.1.0 to before 7.1.337.2.0 to before 7.2.247.3.0 to before 7.3.1112.0414.0416.0418.0419.0419.109.010.0293031before 5.19.01.08.06.07.07.78.18.28.48.6;...

External exposure likelihood

Halo Surface Signal score for CVE-2019-11043

This vulnerability affects PHP-FPM, which is a core component used to process dynamic web requests in standard, high-traffic web server architectures. Because PHP-FPM is commonly deployed to handle requests arriving at public-facing web servers and application gateways, the vulnerable interface is frequently reachable from the internet in common deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

Certain configurations of PHP's FastCGI Process Manager (FPM) contain a flaw that allows unauthorized code execution. This vulnerability arises from a buffer overflow condition within the FPM module. Exploiting this flaw could lead to significant business risk through unauthorized access and control of affected systems.

PHP FastCGI Process Manager (FPM)
Buffer overflow allows remote code execution
Unauthorized system access and control

Attack Path

How an attacker could exploit the issue

Certain configurations of PHP-FPM can allow an attacker to execute remote code. This occurs when the FPM module writes beyond its allocated buffer, overwriting data intended for the FCGI protocol. This could impact systems by allowing unauthorized code execution, potentially leading to data compromise or system control.

Exposed PHP-FPM configuration.
Unauthenticated network access.
Triggering a buffer overflow.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its potential for remote code execution, allowing attackers to compromise systems without prior access. The exploitation of this vulnerability is straightforward, requiring only network access and no user interaction. Its widespread use in web infrastructure means that many organizations are potentially exposed.

Attackers with low skill can exploit.
No special access or conditions needed.
High business risk, treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in PHP's FastCGI Process Manager (FPM) could allow an attacker to execute arbitrary code on affected systems. Given the potential for remote code execution, prompt action is necessary to mitigate business risk. Organizations should prioritize identifying all systems utilizing the vulnerable PHP versions and configurations, then take steps to reduce or isolate exposure.

Locate all PHP-FPM installations.
Restrict network access to FPM.
Apply vendor updates and verify.
Monitor for unusual activity.

Frequently asked questions

What is PHP FastCGI Process Manager (FPM)?

PHP's FastCGI Process Manager (FPM) is a component used to handle dynamic web requests. It's often employed in web server architectures to efficiently process PHP code, making websites and applications function.

What kind of weakness does CVE-2019-11043 describe?

CVE-2019-11043 describes a buffer overflow vulnerability. This happens when a program attempts to write more data into a memory buffer than it was allocated to hold, potentially overwriting adjacent memory and leading to issues like remote code execution.

How could an attacker trigger the PHP-FPM vulnerability?

An attacker could trigger this vulnerability by sending specially crafted requests to a PHP-FPM setup. The vulnerability occurs when the FPM module writes data past its intended buffer into space reserved for protocol information, which can be exploited for remote code execution.

Who should be concerned about CVE-2019-11043's impact?

Organizations using PHP-FPM, especially in internet-facing web servers, should be concerned. The Halo Surface Signal indicates this vulnerability is likely reachable from the internet, meaning external attackers could potentially exploit it.

What is the first step to address this PHP-FPM vulnerability?

The primary step for those running affected PHP versions is to apply updates provided by the vendor. Keeping PHP updated to a version that resolves this vulnerability is crucial for mitigating the risk.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.