Multiple vulnerabilities in PHP

Published: 2020-02-25

Risk	High
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2020-7063 CVE-2020-7061 CVE-2020-7062
CWE-ID	CWE-276 CWE-122 CWE-476
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	PHP Universal components / Libraries / Scripting languages
Vendor	PHP Group

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Incorrect default permissions

EUVDB-ID: #VU25592

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-7063

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect default permissions for files and folders that are set during the Phar::buildFromIterator() call when adding files into tar archive. A local user can extract files from tar archive and gain access to otherwise restricted information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PHP: 7.2.0 - 7.4.2

CPE2.3

External links

https://www.php.net/ChangeLog-7.php
https://bugs.php.net/bug.php?id=79082

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Heap-based buffer overflow

EUVDB-ID: #VU25593

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-7061

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the phar_extract_file() function. A remote attacker can pass specially crafted file to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PHP: 7.3.0alpha1 - 7.4.2

CPE2.3

External links

https://www.php.net/ChangeLog-7.php#7.4.3
https://bugs.php.net/79171

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) NULL pointer dereference

EUVDB-ID: #VU25594

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-7062

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in session.c when handling file uploads. A remote attacker can send a specially crafted HTTP POST request to the affected application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PHP: 7.2.0 - 7.4.2

CPE2.3

External links

https://www.php.net/ChangeLog-7.php#7.4.3
https://bugs.php.net/bug.php?id=79221

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.