Advisory Overview
NGINX is a highly popular website platform which utilizes many different plug-ins and add-ons to enhance its native functionality. NGINX websites which use PHP-FPM (a set of software technologies that work to improve website performance and page loading) can become subject to attack from remote threat actors. A successful attack can create the ability for a threat actor to run their own program code on a compromised web server, putting both the server’s own data and visitors to the site at risk. It should be noted that NGINX itself doesn’t contain this vulnerability, only NGINX configurations that also use PHP-FPM are vulnerable. The creators of PHP-FPM and the PHP project have released updates to remove this vulnerability from PHP-FPM. Contact your MSP or web-hosting manager/partner for additional details.
Technical detail and additional information
What is the threat?
A new PHP vulnerability discovered by security researcher could allow unauthorized users to hack a web server remotely. PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. The vulnerability is known as CVE-2019-11043 and is created by the “env_path_info” underflow memory corruption issue which exists in older versions of PHP-FPM. This memory corruption could allow malicious actors to remotely execute arbitrary code on the vulnerable web servers.
Why is this noteworthy?
This is noteworthy because many websites are hosted on webservers which currently use NGINX, which does not include native FastCGI functionality and therefore is often configured with PHP-FPM to bring these functions into the platform. It is important to note that NGINX itself is not subject to this vulnerability, only NGINX implementations that also use PHP-FPM are vulnerable.
What is the exposure or risk?
The versions of PHP affected by this vulnerability are versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11. This issue only affects instances running PHP_FPM under NGINX server software. With certain configurations of the PHP- FPM setup it is possible to cause the PHP- FPM module to write past allocated buffers into the space reserved for FCGI protocol data and create a memory corruption issue, eventually allowing remote code execution vulnerabilities which could be exploited by threat actors. As threat actors could then execute arbitrary code on the web server, this could lead to a compromise of the server itself (and any data contained on it) as well as creating situations where the sites running on the server could distribute malware or be used for phishing attacks against site visitors.
What are the recommendations?
- Update versions of PHP is using version: PHP 7.1.33, PHP 7.2.24, or PHP 7.3.11.
- Use a different PHP process manager rather than PHP-FPM, preferably NGINX Unit. (NGINX Unit is a high‑performance, open source application server and process manager that supports numerous languages and frameworks in addition to PHP.)
- Add a try_filesdirective to the NGINX configuration to verify that the $uri variable resolves to a file (the PHP script) and reject the request with code 404 (Not Found)
- Use F5 BIG-IP ASM (Application Security Manager) and/or similar security technologies to protect web application
- Add a ModSecurity rule to block requests that contain the suspicious %0a or %0d character.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
- https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html
- https://blog.qualys.com/webappsec/2019/10/30/php-remote-code-execution-vulnerability-cve-2019-11043
For more information, please contact our Security Operations Center.