Vulnerabilities > CVE-2017-12934 - Use After Free vulnerability in PHP

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
php
CWE-416
nessus

Summary

ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h. Exploitation of this issue can have an unspecified impact on the integrity of PHP.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCGI abuses
    NASL idPHP_7_0_21.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.21. It is, therefore, affected by the following vulnerabilities : - An out-of-bounds read error exists in the PCRE library in the compile_bracket_matchingpath() function within file pcre_jit_compile.c. An unauthenticated, remote attacker can exploit this, via a specially crafted regular expression, to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-6004) - An out-of-bounds read error exists in the GD Graphics Library (LibGD) in the gdImageCreateFromGifCtx() function within file gd_gif_in.c when handling a specially crafted GIF file. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-7890) - An out-of-bounds read error exists in Oniguruma in the match_at() function within file regexec.c. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-9224) - An out-of-bounds write error exists in Oniguruma in the next_state_val() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9226) - An out-of-bounds read error exists in Oniguruma in the mbc_enc_len() function within file utf8.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or crash a process linked to the library. (CVE-2017-9227) - An out-of-bounds write error exists in Oniguruma in the bitset_set_range() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9228) - An invalid pointer deference flaw exists in Oniguruma in the left_adjust_char_head() function within file regexec.c during regular expression compilation. An unauthenticated, remote attacker can exploit this to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-9229) - A flaw exists in OpenSSL in the EVP_SealInit() function within file crypto/evp/p_seal.c due to returning an undocumented value of
    last seen2020-04-30
    modified2017-07-13
    plugin id101526
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101526
    titlePHP 7.0.x < 7.0.21 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101526);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");
    
      script_cve_id(
        "CVE-2017-6004",
        "CVE-2017-7890",
        "CVE-2017-9224",
        "CVE-2017-9226",
        "CVE-2017-9227",
        "CVE-2017-9228",
        "CVE-2017-9229",
        "CVE-2017-11144",
        "CVE-2017-11145",
        "CVE-2017-11362",
        "CVE-2017-11628",
        "CVE-2017-12933",
        "CVE-2017-12934"
      );
      script_bugtraq_id(
        96295,
        99489,
        99490,
        99492,
        99501,
        100428
      );
    
      script_name(english:"PHP 7.0.x < 7.0.21 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of PHP.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The version of PHP running on the remote web server is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of PHP running on the remote web
    server is 7.0.x prior to 7.0.21. It is, therefore, affected by the
    following vulnerabilities :
    
      - An out-of-bounds read error exists in the PCRE library
        in the compile_bracket_matchingpath() function within
        file pcre_jit_compile.c. An unauthenticated, remote
        attacker can exploit this, via a specially crafted
        regular expression, to crash a process linked to the
        library, resulting in a denial of service condition.
        (CVE-2017-6004)
    
      - An out-of-bounds read error exists in the GD Graphics
        Library (LibGD) in the gdImageCreateFromGifCtx()
        function within file gd_gif_in.c when handling a
        specially crafted GIF file. An unauthenticated, remote
        attacker can exploit this to disclose sensitive memory
        contents or crash a process linked to the library.
        (CVE-2017-7890)
    
      - An out-of-bounds read error exists in Oniguruma in the
        match_at() function within file regexec.c. An
        unauthenticated, remote attacker can exploit this to
        disclose sensitive memory contents or crash a process
        linked to the library. (CVE-2017-9224)
    
      - An out-of-bounds write error exists in Oniguruma in the
        next_state_val() function during regular expression
        compilation. An unauthenticated, remote attacker can
        exploit this to execute arbitrary code. (CVE-2017-9226)
    
      - An out-of-bounds read error exists in Oniguruma in the
        mbc_enc_len() function within file utf8.c. An
        unauthenticated, remote attacker can exploit this to
        disclose memory contents or crash a process linked to
        the library. (CVE-2017-9227)
    
      - An out-of-bounds write error exists in Oniguruma in the
        bitset_set_range() function during regular expression
        compilation. An unauthenticated, remote attacker can
        exploit this to execute arbitrary code. (CVE-2017-9228)
    
      - An invalid pointer deference flaw exists in Oniguruma
        in the left_adjust_char_head() function within file
        regexec.c during regular expression compilation. An
        unauthenticated, remote attacker can exploit this to
        crash a process linked to the library, resulting in a
        denial of service condition. (CVE-2017-9229)
    
      - A flaw exists in OpenSSL in the EVP_SealInit() function
        within file crypto/evp/p_seal.c due to returning an
        undocumented value of '-1'. An unauthenticated, remote
        attacker can exploit this to cause an unspecified
        impact. (CVE-2017-11144)
    
      - An out-of-bounds read error exists in PHP in the
        php_parse_date() function within file
        ext/date/lib/parse_date.c. An unauthenticated, remote
        attacker can exploit this to disclose memory contents or
        cause a denial of service condition. (CVE-2017-11145)
    
      - A stack-based buffer overflow condition exists in PHP
        in the msgfmt_parse_message() function due to improper
        validation of user-supplied input when parsing locale.
        An unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-11362)
    
      - An off-by-one overflow condition exists in PHP in the
        INI parsing API, specifically in the zend_ini_do_op()
        function within file Zend/zend_ini_parser.c, due to
        improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-11628)
    
      - An out-of-bounds read error exists in PHP in the
        finish_nested_data() function within file
        ext/standard/var_unserializer.re. An unauthenticated,
        remote attacker can exploit this to disclose memory
        contents or cause a denial of service condition.
        (CVE-2017-12933)
    
      - A use-after-free error exists in PHP in the
        zval_get_type() function within file
        ext/standard/var_unserializer.c. An unauthenticated,
        remote attacker can exploit this to execute arbitrary
        code. (CVE-2017-12934)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.21");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to PHP version 7.0.21 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12933");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("php_version.nasl");
      script_require_keys("www/PHP");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("vcf.inc");
    include("vcf_extras.inc");
    include("http.inc");
    include("webapp_func.inc");
    
    vcf::php::initialize();
    
    port = get_http_port(default:80, php:TRUE);
    
    app_info = vcf::php::get_app_info(port:port);
    
    constraints = [
      { "min_version" : "7.0.0alpha0", "fixed_version" : "7.0.21" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2468-1.NASL
    descriptionThis update for php7 fixes several issues. These security issues were fixed : - CVE-2017-12932: Prevent heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054432). - CVE-2017-12934: Prevent heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054408). - CVE-2017-12933: The finish_nested_data function in ext/standard/var_unserializer.re was prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054430) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id120006
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120006
    titleSUSE SLES12 Security Update : php7 (SUSE-SU-2017:2468-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1061.NASL
    descriptionThis update for php7 fixes several issues. These security issues were fixed : - CVE-2017-12932: Prevent heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054432). - CVE-2017-12934: Prevent heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054408). - CVE-2017-12933: The finish_nested_data function in ext/standard/var_unserializer.re was prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054430) These non-security issues were fixed : - bsc#1057104: php7-devel now requires php7-pear - bsc#1057845: Fixed namespace encapsulation of imported classes/functions/constants This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2017-09-18
    plugin id103286
    published2017-09-18
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103286
    titleopenSUSE Security Update : php7 (openSUSE-2017-1061)
  • NASL familyCGI abuses
    NASL idPHP_7_1_7.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.7. It is, therefore, affected by the following vulnerabilities : - An out-of-bounds read error exists in the GD Graphics Library (LibGD) in the gdImageCreateFromGifCtx() function within file gd_gif_in.c when handling a specially crafted GIF file. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-7890) - An out-of-bounds read error exists in Oniguruma in the match_at() function within file regexec.c. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-9224) - An out-of-bounds write error exists in Oniguruma in the next_state_val() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9226) - An out-of-bounds read error exists in Oniguruma in the mbc_enc_len() function within file utf8.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or crash a process linked to the library. (CVE-2017-9227) - An out-of-bounds write error exists in Oniguruma in the bitset_set_range() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9228) - An invalid pointer deference flaw exists in Oniguruma in the left_adjust_char_head() function within file regexec.c during regular expression compilation. An unauthenticated, remote attacker can exploit this to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-9229) - A flaw exists in OpenSSL in the EVP_SealInit() function within file crypto/evp/p_seal.c due to returning an undocumented value of
    last seen2020-04-30
    modified2017-07-13
    plugin id101527
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101527
    titlePHP 7.1.x < 7.1.7 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4080.NASL
    descriptionSeveral vulnerabilities were found in PHP, a widely-used open source general purpose scripting language : - CVE-2017-11144 Denial of service in openssl extension due to incorrect return value check of OpenSSL sealing function - CVE-2017-11145 Out-of-bounds read in wddx_deserialize() - CVE-2017-11628 Buffer overflow in PHP INI parsing API - CVE-2017-12932 / CVE-2017-12934 Use-after-frees during unserialisation - CVE-2017-12933 Buffer overread in finish_nested_data() - CVE-2017-16642 Out-of-bounds read in timelib_meridian()
    last seen2020-06-01
    modified2020-06-02
    plugin id105663
    published2018-01-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105663
    titleDebian DSA-4080-1 : php7.0 - security update

Redhat

advisories
rhsa
idRHSA-2018:1296
rpms
  • rh-php70-php-0:7.0.27-1.el6
  • rh-php70-php-0:7.0.27-1.el7
  • rh-php70-php-bcmath-0:7.0.27-1.el6
  • rh-php70-php-bcmath-0:7.0.27-1.el7
  • rh-php70-php-cli-0:7.0.27-1.el6
  • rh-php70-php-cli-0:7.0.27-1.el7
  • rh-php70-php-common-0:7.0.27-1.el6
  • rh-php70-php-common-0:7.0.27-1.el7
  • rh-php70-php-dba-0:7.0.27-1.el6
  • rh-php70-php-dba-0:7.0.27-1.el7
  • rh-php70-php-dbg-0:7.0.27-1.el6
  • rh-php70-php-dbg-0:7.0.27-1.el7
  • rh-php70-php-debuginfo-0:7.0.27-1.el6
  • rh-php70-php-debuginfo-0:7.0.27-1.el7
  • rh-php70-php-devel-0:7.0.27-1.el6
  • rh-php70-php-devel-0:7.0.27-1.el7
  • rh-php70-php-embedded-0:7.0.27-1.el6
  • rh-php70-php-embedded-0:7.0.27-1.el7
  • rh-php70-php-enchant-0:7.0.27-1.el6
  • rh-php70-php-enchant-0:7.0.27-1.el7
  • rh-php70-php-fpm-0:7.0.27-1.el6
  • rh-php70-php-fpm-0:7.0.27-1.el7
  • rh-php70-php-gd-0:7.0.27-1.el6
  • rh-php70-php-gd-0:7.0.27-1.el7
  • rh-php70-php-gmp-0:7.0.27-1.el6
  • rh-php70-php-gmp-0:7.0.27-1.el7
  • rh-php70-php-imap-0:7.0.27-1.el6
  • rh-php70-php-intl-0:7.0.27-1.el6
  • rh-php70-php-intl-0:7.0.27-1.el7
  • rh-php70-php-json-0:7.0.27-1.el6
  • rh-php70-php-json-0:7.0.27-1.el7
  • rh-php70-php-ldap-0:7.0.27-1.el6
  • rh-php70-php-ldap-0:7.0.27-1.el7
  • rh-php70-php-mbstring-0:7.0.27-1.el6
  • rh-php70-php-mbstring-0:7.0.27-1.el7
  • rh-php70-php-mysqlnd-0:7.0.27-1.el6
  • rh-php70-php-mysqlnd-0:7.0.27-1.el7
  • rh-php70-php-odbc-0:7.0.27-1.el6
  • rh-php70-php-odbc-0:7.0.27-1.el7
  • rh-php70-php-opcache-0:7.0.27-1.el6
  • rh-php70-php-opcache-0:7.0.27-1.el7
  • rh-php70-php-pdo-0:7.0.27-1.el6
  • rh-php70-php-pdo-0:7.0.27-1.el7
  • rh-php70-php-pgsql-0:7.0.27-1.el6
  • rh-php70-php-pgsql-0:7.0.27-1.el7
  • rh-php70-php-process-0:7.0.27-1.el6
  • rh-php70-php-process-0:7.0.27-1.el7
  • rh-php70-php-pspell-0:7.0.27-1.el6
  • rh-php70-php-pspell-0:7.0.27-1.el7
  • rh-php70-php-recode-0:7.0.27-1.el6
  • rh-php70-php-recode-0:7.0.27-1.el7
  • rh-php70-php-snmp-0:7.0.27-1.el6
  • rh-php70-php-snmp-0:7.0.27-1.el7
  • rh-php70-php-soap-0:7.0.27-1.el6
  • rh-php70-php-soap-0:7.0.27-1.el7
  • rh-php70-php-tidy-0:7.0.27-1.el6
  • rh-php70-php-xml-0:7.0.27-1.el6
  • rh-php70-php-xml-0:7.0.27-1.el7
  • rh-php70-php-xmlrpc-0:7.0.27-1.el6
  • rh-php70-php-xmlrpc-0:7.0.27-1.el7
  • rh-php70-php-zip-0:7.0.27-1.el6
  • rh-php70-php-zip-0:7.0.27-1.el7