This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.GENTOO_GLSA-202209-20.NASLGLSA-202209-20 : PHP: Multiple Vulnerabilities
The remote host is affected by the vulnerability described in GLSA-202209-20 (PHP: Multiple Vulnerabilities)
-
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower- privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
(CVE-2021-21703) -
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
(CVE-2021-21704) -
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
(CVE-2021-21705) -
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
(CVE-2021-21708) -
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service. (CVE-2022-31625)
-
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability. (CVE-2022-31626)
-
In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption. (CVE-2022-31627)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# @NOAGENT@
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 202209-20.
#
# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#
include('compat.inc');
if (description)
{
script_id(165627);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/10");
script_cve_id(
"CVE-2021-21703",
"CVE-2021-21704",
"CVE-2021-21705",
"CVE-2021-21708",
"CVE-2022-31625",
"CVE-2022-31626",
"CVE-2022-31627"
);
script_name(english:"GLSA-202209-20 : PHP: Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"");
script_set_attribute(attribute:"description", value:
"The remote host is affected by the vulnerability described in GLSA-202209-20 (PHP: Multiple Vulnerabilities)
- In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running
PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-
privileged users, it is possible for the child processes to access memory shared with the main process and
write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and
writes, which can be used to escalate privileges from local unprivileged user to the root user.
(CVE-2021-21703)
- In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO
driver extension, a malicious database server could cause crashes in various database functions, such as
getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed
correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
(CVE-2021-21704)
- In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation
functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password
field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially
leading to other security implications - like contacting a wrong server or making a wrong access decision.
(CVE-2021-21705)
- In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions
with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to
trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of
other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
(CVE-2021-21708)
- In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres
database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to
free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of
service. (CVE-2022-31625)
- In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension
with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the
connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote
code execution vulnerability. (CVE-2022-31626)
- In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch
applied to the third party code from libmagic, incorrect function may be used to free allocated memory,
which may lead to heap corruption. (CVE-2022-31627)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security.gentoo.org/glsa/202209-20");
script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=799776");
script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=810526");
script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=819510");
script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=833585");
script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=850772");
script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=857054");
script_set_attribute(attribute:"solution", value:
"All PHP 7.4 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose >=dev-lang/php-7.4.30:7.4
All PHP 8.0 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose >=dev-lang/php-8.0.23:8.0
All PHP 8.1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose >=dev-lang/php-8.1.8:8.1");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-21703");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-31627");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/22");
script_set_attribute(attribute:"patch_publication_date", value:"2022/09/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:php");
script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Gentoo Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
exit(0);
}
include("qpkg.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var flag = 0;
var packages = [
{
'name' : "dev-lang/php",
'unaffected' : make_list("ge 7.4.30", "lt 7.0.0"),
'vulnerable' : make_list("lt 7.4.30")
},
{
'name' : "dev-lang/php",
'unaffected' : make_list("ge 8.0.23", "lt 8.0.0"),
'vulnerable' : make_list("lt 8.0.23")
},
{
'name' : "dev-lang/php",
'unaffected' : make_list("ge 8.1.8", "lt 8.1.0"),
'vulnerable' : make_list("lt 8.1.8")
}
];
foreach package( packages ) {
if (isnull(package['unaffected'])) package['unaffected'] = make_list();
if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();
if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;
}
# This plugin has a different number of unaffected and vulnerable versions for
# one or more packages. To ensure proper detection, a separate line should be
# used for each fixed/vulnerable version pair.
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : qpkg_report_get()
);
exit(0);
}
else
{
qpkg_tests = list_uniq(qpkg_tests);
var tested = qpkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PHP");
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21703
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21704
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21705
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21708
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31625
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31626
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31627
bugs.gentoo.org/show_bug.cgi?id=799776
bugs.gentoo.org/show_bug.cgi?id=810526
bugs.gentoo.org/show_bug.cgi?id=819510
bugs.gentoo.org/show_bug.cgi?id=833585
bugs.gentoo.org/show_bug.cgi?id=850772
bugs.gentoo.org/show_bug.cgi?id=857054
security.gentoo.org/glsa/202209-20
Related
