Threat actors are actively exploiting a recently disclosed remote code execution vulnerability in PHP7, a popular programming language used to build websites. The flaw, tracked as CVE-2019-11043, affects websites running on NGINX web servers that have Hypertext Preprocessor FastCGI Process Manager (PHP-FPM) enabled. CVE-2019-11043 is easy to exploit as a remote attacker can take over a vulnerable web server or web application by sending a crafted request appended with the “?a=” in the URL. Due to a lack of checks on the configurations of NGINX and PHP-FPM, an attacker can modify content in the web server, embed them with malware, or use them as gateway into the organisation’s network. System administrators are strongly encouraged to update their PHP to 7.2.24 or 7.3.11 given that the vulnerability is trivial to exploit and a working proof-of-concept is available in GitHub. If patching is not feasible, organisations can use a web-application firewall to block “newline” (%0a or %0d) bytes in website URLs and prevent any incoming attacks.
References:PHuiP-FPizdaM (Exploit Code)
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Ensign Systems Integration
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services