ALERT: Multiple Vulnerabilities in PHP Could Allow Remote Code Execution

Monday, March 30, 2015

This information was sent via email to U-M IT staff groups on March 30, 2015.

This information is intended for U-M IT staff who are responsible for maintaining and running university servers with PHP installed.

Summary: 

Updates are available that fix multiple vulnerabilities in PHP that could allow an attacker to remotely disclose source code and potentially execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Problem: 

Exploitation of the identified vulnerabilities could allow information disclosure or could allow remote attackers to execute arbitrary code in the context of a web server. Failed attempts at exploitation will likely result in denial-of-service conditions. While IIA is not currently aware of reports of exploitation in the wild, proof-of-concept exploit code has been made publicly available for one of the vulnerabilities, CVE-2015-0231.

Affected Versions: 
  • PHP 5.6 prior to 5.6.7
  • PHP 5.5 prior to 5.5.23
  • PHP 5.4 prior to 5.4.39
Action Items: 

IIA recommends patching within seven days, preferably sooner if doing so would not cause service disruption. If widespread exploitation begins, emergency patching and/or production service shutdowns could become necessary.

  1. Verify that no unauthorized modifications occurred to the system before installing patches.
  2. Apply appropriate fixes or patches provided by the PHP Group to vulnerable systems immediately after appropriate testing. (See PHP Downloads.)
  3. Apply the principle of least privilege to all systems and services.
  4. Limit user account privileges to only those required.
Threats: 

Proof-of-concept exploit code for CVE-2015-0231 is publicly available at this time. There are currently no reports of these vulnerabilities being exploited in the wild.

Technical Details: 

Multiple remote code execution vulnerabilities were fixed in PHP versions 5.4.39, 5.5.23, and 5.6.7. These vulnerabilities include:

  • A use-after-free vulnerability due to a use-after-free error in the _wakeup() magic method. An attacker could exploit this vulnerability using a specially crafted input passed to the unserialize() method. Successfully exploiting this issue could allow remote attackers to execute arbitrary code in the context of a web server. Failed attempts will likely result in denial-of-service conditions. (CVE-2015-0231)
  • A heap overflow vulnerability in regcomp.c. This is due to an error in the len variable, which, when enlarged, fails to perform proper bounds checking, allowing for an attacker to overflow the variable and modify data in memory. Successfully exploiting this vulnerability could allow remote attackers to execute arbitrary code in the context of a web server. Failed attempts will likely result in denial-of-service conditions. (CVE-2015-2305)
  • A heap overflow vulnerability in ZIP. When opening a ZipArchive with a large number of entries, the data will write pass the heap boundary. Successfully exploiting this vulnerability could allow remote attackers to execute arbitrary code in the context of a web server. Failed attempts will likely result in denial-of-service conditions. (CVE-2015-2331)
Information for Users: 

Users are not directly affected by these vulnerabilities and therefore do not need to take any action.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

Sincerely, 
Sol Bermann, 
Interim University of Michigan Chief Information Security Officer 
Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strategist