Security Update for PHP7.0 – Critical Vulnerabilities and Fixes

A new security update, has been released for PHP 7.0, specifically for version 7.0.33-0+deb9u20 (Stretch). This update addresses several critical vulnerabilities in PHP that could be exploited by attackers to compromise the integrity, availability, and confidentiality of systems running affected versions of PHP. In this post, we’ll review the key vulnerabilities, their potential impact, and why it’s essential to apply this update promptly.

Related CVEs:

  • CVE-2024-8929
  • CVE-2024-8932
  • CVE-2024-11233
  • CVE-2024-11234
  • CVE-2024-11236

Vulnerability Breakdown:

  1. CVE-2024-8929: Heap Buffer Over-read in mysqlnd A heap buffer over-read vulnerability was discovered by Sébastien Rolland in the MySQL Native Driver (mysqlnd) component of PHP. By exploiting this vulnerability, an attacker could initiate a SQL query and connect to a fake MySQL server or tamper with network packets. This manipulation would allow the attacker to abuse the php_mysqlnd_rset_field_read() function and leak sensitive data from the heap memory by accessing areas of memory beyond the buffer’s allocated size. Impact:
    • Potential leak of sensitive memory content.
    • Could allow attackers to extract information from the heap, including passwords, session data, or other sensitive data.
  2. CVE-2024-8932: Integer Overflow in ldap_escape() on 32-bit Systems Discovered by Yiheng Cao, this vulnerability affects the ldap_escape() function on 32-bit systems. Uncontrolled long string inputs to this function can cause an integer overflow, leading to an out-of-bounds write. This could result in memory corruption or crashes in affected systems. Impact:
    • Potential for denial of service (DoS).
    • Possible arbitrary code execution if the attacker can manipulate memory or cause out-of-bounds writes.
  3. CVE-2024-11233: Memory Corruption in filter Handling System A memory-related vulnerability was discovered in the PHP filter handling system, particularly when processing convert.quoted-printable-decode filters. By providing specially crafted input, attackers could trigger a segmentation fault, causing PHP to crash. In some cases, this vulnerability might allow attackers to extract a byte of data from the heap, leading to potential data leakage. Impact:
    • Denial of service (PHP crash).
    • Possible leak of a single byte of sensitive data from the heap.
    • Exploitation could lead to system instability.
  4. CVE-2024-11234: Proxy Configuration Leading to CRLF Injection This vulnerability, discovered by Lorenzo Leonardini, arises when configuring a proxy in a stream context. Attackers could exploit this by injecting CRLF (carriage return and line feed) characters into the URI, potentially leading to a Server-Side Request Forgery (SSRF) attack. This could bypass authorization controls and allow attackers to access internal systems or perform unauthorized actions. Impact:
    • Authorization bypass due to SSRF.
    • Potential for attackers to make unauthorized requests to internal systems.
  5. CVE-2024-11236: Integer Overflow in Firebird and DBLIB Quoters An integer overflow vulnerability was discovered in the Firebird and DBLIB quoters, which could result in out-of-bounds writes. This memory corruption vulnerability can be triggered when handling certain input data in PHP. An attacker could exploit this issue to corrupt memory, potentially leading to arbitrary code execution. Impact:
    • Memory corruption.
    • Potential remote code execution through out-of-bounds writes.
  6. GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data() A critical heap-use-after-free vulnerability was discovered in the sapi_read_post_data() function. This vulnerability could be exploited by attackers during the processing of POST requests. If successfully exploited, it could lead to memory safety issues, allowing attackers to execute arbitrary code or cause crashes by manipulating memory allocation. Impact:
    • Remote code execution or memory corruption during POST request processing.
    • Possible data leakage or denial of service.

Why You Need to Update PHP:

The vulnerabilities addressed in this update are severe and could potentially be exploited by attackers to compromise your server, leak sensitive data, or crash your services. These security flaws could have wide-reaching consequences if left unpatched, especially in production environments where PHP is responsible for powering web applications, handling sensitive user input, or managing database connections.

Steps to Update:

  1. Check the Installed Version: Before applying any updates, verify the PHP version installed on your system to ensure that you are running a vulnerable version. php -v
  2. Apply the Update: To update PHP to the latest secure version on Debian Stretch (9), run the following commands: sudo apt update sudo apt install --only-upgrade php7.0
  3. Restart PHP Services: After updating, restart your web server or PHP-FPM service to apply the changes. sudo systemctl restart apache2 sudo systemctl restart php7.0-fpm
  4. Test for Issues: Ensure that your web applications are functioning correctly after the update by testing key functionality, particularly areas that interact with PHP processes or MySQL/LDAP systems.

Conclusion:

The security updates for PHP 7.0 address several critical vulnerabilities that could impact your systems’ security and stability. Given the potential for data leaks, unauthorized access, and system crashes, it is highly recommended that you apply this update as soon as possible to protect your infrastructure from exploitation.