Amazon Linux AMI update for php

Published: 2012-07-05

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2012-2143 CVE-2012-2386
CWE-ID	CWE-310 CWE-122
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #2 is available.
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Cryptographic issues

EUVDB-ID: #VU43910

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-2143

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. As per: http://git.php.net/?p=php-src.git;a=commitdiff;h=aab49e934de1fff046e659cbec46e3d053b41c34 and http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=aab49e934de1fff046e659cbec46e3d053b41c34 PHP 5.3.13 and earlier are vulnerable.

Mitigation

Update the affected packages:

i686:
    php-intl-5.3.14-2.21.amzn1.i686
    php-mysql-5.3.14-2.21.amzn1.i686
    php-mbstring-5.3.14-2.21.amzn1.i686
    php-xmlrpc-5.3.14-2.21.amzn1.i686
    php-recode-5.3.14-2.21.amzn1.i686
    php-xml-5.3.14-2.21.amzn1.i686
    php-embedded-5.3.14-2.21.amzn1.i686
    php-mcrypt-5.3.14-2.21.amzn1.i686
    php-bcmath-5.3.14-2.21.amzn1.i686
    php-dba-5.3.14-2.21.amzn1.i686
    php-odbc-5.3.14-2.21.amzn1.i686
    php-soap-5.3.14-2.21.amzn1.i686
    php-debuginfo-5.3.14-2.21.amzn1.i686
    php-tidy-5.3.14-2.21.amzn1.i686
    php-devel-5.3.14-2.21.amzn1.i686
    php-snmp-5.3.14-2.21.amzn1.i686
    php-pgsql-5.3.14-2.21.amzn1.i686
    php-process-5.3.14-2.21.amzn1.i686
    php-fpm-5.3.14-2.21.amzn1.i686
    php-mysqlnd-5.3.14-2.21.amzn1.i686
    php-ldap-5.3.14-2.21.amzn1.i686
    php-5.3.14-2.21.amzn1.i686
    php-pspell-5.3.14-2.21.amzn1.i686
    php-imap-5.3.14-2.21.amzn1.i686
    php-mssql-5.3.14-2.21.amzn1.i686
    php-common-5.3.14-2.21.amzn1.i686
    php-cli-5.3.14-2.21.amzn1.i686
    php-pdo-5.3.14-2.21.amzn1.i686
    php-gd-5.3.14-2.21.amzn1.i686

src:
    php-5.3.14-2.21.amzn1.src

x86_64:
    php-mssql-5.3.14-2.21.amzn1.x86_64
    php-cli-5.3.14-2.21.amzn1.x86_64
    php-fpm-5.3.14-2.21.amzn1.x86_64
    php-pgsql-5.3.14-2.21.amzn1.x86_64
    php-common-5.3.14-2.21.amzn1.x86_64
    php-bcmath-5.3.14-2.21.amzn1.x86_64
    php-embedded-5.3.14-2.21.amzn1.x86_64
    php-xmlrpc-5.3.14-2.21.amzn1.x86_64
    php-recode-5.3.14-2.21.amzn1.x86_64
    php-gd-5.3.14-2.21.amzn1.x86_64
    php-pspell-5.3.14-2.21.amzn1.x86_64
    php-odbc-5.3.14-2.21.amzn1.x86_64
    php-5.3.14-2.21.amzn1.x86_64
    php-mbstring-5.3.14-2.21.amzn1.x86_64
    php-soap-5.3.14-2.21.amzn1.x86_64
    php-intl-5.3.14-2.21.amzn1.x86_64
    php-devel-5.3.14-2.21.amzn1.x86_64
    php-ldap-5.3.14-2.21.amzn1.x86_64
    php-mysqlnd-5.3.14-2.21.amzn1.x86_64
    php-dba-5.3.14-2.21.amzn1.x86_64
    php-debuginfo-5.3.14-2.21.amzn1.x86_64
    php-xml-5.3.14-2.21.amzn1.x86_64
    php-tidy-5.3.14-2.21.amzn1.x86_64
    php-process-5.3.14-2.21.amzn1.x86_64
    php-pdo-5.3.14-2.21.amzn1.x86_64
    php-mcrypt-5.3.14-2.21.amzn1.x86_64
    php-imap-5.3.14-2.21.amzn1.x86_64
    php-mysql-5.3.14-2.21.amzn1.x86_64
    php-snmp-5.3.14-2.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2012-95.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

EUVDB-ID: #VU43908

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2012-2386

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4. A remote attacker can use a crafted tar file that triggers a heap-based buffer overflow. to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    php-intl-5.3.14-2.21.amzn1.i686
    php-mysql-5.3.14-2.21.amzn1.i686
    php-mbstring-5.3.14-2.21.amzn1.i686
    php-xmlrpc-5.3.14-2.21.amzn1.i686
    php-recode-5.3.14-2.21.amzn1.i686
    php-xml-5.3.14-2.21.amzn1.i686
    php-embedded-5.3.14-2.21.amzn1.i686
    php-mcrypt-5.3.14-2.21.amzn1.i686
    php-bcmath-5.3.14-2.21.amzn1.i686
    php-dba-5.3.14-2.21.amzn1.i686
    php-odbc-5.3.14-2.21.amzn1.i686
    php-soap-5.3.14-2.21.amzn1.i686
    php-debuginfo-5.3.14-2.21.amzn1.i686
    php-tidy-5.3.14-2.21.amzn1.i686
    php-devel-5.3.14-2.21.amzn1.i686
    php-snmp-5.3.14-2.21.amzn1.i686
    php-pgsql-5.3.14-2.21.amzn1.i686
    php-process-5.3.14-2.21.amzn1.i686
    php-fpm-5.3.14-2.21.amzn1.i686
    php-mysqlnd-5.3.14-2.21.amzn1.i686
    php-ldap-5.3.14-2.21.amzn1.i686
    php-5.3.14-2.21.amzn1.i686
    php-pspell-5.3.14-2.21.amzn1.i686
    php-imap-5.3.14-2.21.amzn1.i686
    php-mssql-5.3.14-2.21.amzn1.i686
    php-common-5.3.14-2.21.amzn1.i686
    php-cli-5.3.14-2.21.amzn1.i686
    php-pdo-5.3.14-2.21.amzn1.i686
    php-gd-5.3.14-2.21.amzn1.i686

src:
    php-5.3.14-2.21.amzn1.src

x86_64:
    php-mssql-5.3.14-2.21.amzn1.x86_64
    php-cli-5.3.14-2.21.amzn1.x86_64
    php-fpm-5.3.14-2.21.amzn1.x86_64
    php-pgsql-5.3.14-2.21.amzn1.x86_64
    php-common-5.3.14-2.21.amzn1.x86_64
    php-bcmath-5.3.14-2.21.amzn1.x86_64
    php-embedded-5.3.14-2.21.amzn1.x86_64
    php-xmlrpc-5.3.14-2.21.amzn1.x86_64
    php-recode-5.3.14-2.21.amzn1.x86_64
    php-gd-5.3.14-2.21.amzn1.x86_64
    php-pspell-5.3.14-2.21.amzn1.x86_64
    php-odbc-5.3.14-2.21.amzn1.x86_64
    php-5.3.14-2.21.amzn1.x86_64
    php-mbstring-5.3.14-2.21.amzn1.x86_64
    php-soap-5.3.14-2.21.amzn1.x86_64
    php-intl-5.3.14-2.21.amzn1.x86_64
    php-devel-5.3.14-2.21.amzn1.x86_64
    php-ldap-5.3.14-2.21.amzn1.x86_64
    php-mysqlnd-5.3.14-2.21.amzn1.x86_64
    php-dba-5.3.14-2.21.amzn1.x86_64
    php-debuginfo-5.3.14-2.21.amzn1.x86_64
    php-xml-5.3.14-2.21.amzn1.x86_64
    php-tidy-5.3.14-2.21.amzn1.x86_64
    php-process-5.3.14-2.21.amzn1.x86_64
    php-pdo-5.3.14-2.21.amzn1.x86_64
    php-mcrypt-5.3.14-2.21.amzn1.x86_64
    php-imap-5.3.14-2.21.amzn1.x86_64
    php-mysql-5.3.14-2.21.amzn1.x86_64
    php-snmp-5.3.14-2.21.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2012-95.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.