PHP-FPM Vulnerability leads to Remote code execution
FastCGI is a way to have CGI scripts execute time-consuming code (like opening a database) only once, rather than every time the script is loaded. It mainly helps to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time.
Vulnerability | CVE-2019-11043
This vulnerability can be triggered only with the following Nginx configurations and only when NGINX is paired with PHP-FPM. It allows the FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
fastcgi_param PATH_INFO $fastcgi_path_info;
The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (%0a, in url encoded form). Broken regexp leads to empty PATH_INFO. While php-fpm handling PATH_INFO as empty, there is a logical flaw allowing attackers to create fake PHP_VALUE variables. Using this technique, attackers can create a chain of carefully chosen config values to get remote code execution.
The attacker’s requests look like the below ones:
Admins are advised to check whether their servers are vulnerable by executing a simple bash command:
egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/
It is recommended to upgrade to the patched release (or later) of your PHP version
SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:
IPS 14523: PHP-FPM NGINX Remote Code Execution
SonicWall WAF has been designed to provide protection against this exploit by default.