A newly identified vulnerability poses significant risks for PHP-based websites operating on NGINX servers with PHP-FPM enabled. This security flaw, identified as CVE-2019-11043, could enable unauthorized remote access to affected systems. Researchers have already released proof-of-concept (PoC) exploits demonstrating this vulnerability, highlighting its potential for exploitation across various configurations that are not uncommon in active environments.
PHP-FPM (PHP FastCGI Process Manager) provides a robust implementation for processing PHP scripts, yet the recent findings indicate a crucial memory corruption vulnerability tied to the “env_path_info” parameter. When exploited in conjunction with other weaknesses, this flaw provides a pathway for attackers to execute arbitrary code remotely on vulnerable servers.
The vulnerability was first discovered by Andrew Danau, a security researcher at Wallarm, during a Capture The Flag competition. His findings were coupled with further developments by fellow researchers, Omar Ganiev and Emil Lerner, who successfully weaponized the exploit to establish a remote code execution capability. While the PoC targets servers running PHP 7 and higher, earlier PHP versions are also susceptible to various attacks that leverage this bug.
Websites exhibiting certain configurations are notably at risk. Specifically, those where NGINX redirects PHP requests to the PHP-FPM processor and where configurations lack stringent checks for file existence are particularly vulnerable. This presents a chance for adversaries to manipulate servers if the necessary protective measures, such as try_files or other validation protocols, are not implemented.
The research paper illustrated how leveraging this vulnerability can compromise systems. By manipulating the fastcgi_split_path_info directive, attackers can manipulate the underlying PHP configuration, potentially allowing them to define arbitrary php.ini values and compromise server integrity. The ease of exploitation raises alarms, particularly for web hosting services, as demonstrated by Nextcloud’s recent advisory warning its users of inherent vulnerabilities within default configurations.
In response to the threat, updates for PHP have been released to rectify the identified vulnerabilities, with both PHP 7.3.11 and 7.2.24 now available. Organizations are urged to implement these updates promptly, as the availability of the PoC exploits may have facilitated targeted scanning by malicious actors, potentially leading to widespread exploitation.
In the context of the MITRE ATT&CK framework, this incident may involve several adversarial tactics and techniques, including initial access through exploitation, privilege escalation maneuvers, and persistence methods via code execution. As organizations move to protect their infrastructures, understanding the implications of these tactics within a cybersecurity strategy remains essential.
In light of these developments, business owners managing PHP-based environments are strongly encouraged to review their server configurations and ensure they are fortified against such vulnerabilities. Keeping software updated and implementing best practices in server management is critical to safeguarding against potential exploitation by malicious actors, particularly in an increasingly complex threat landscape.