Weekly Comments

22 - 29 October 2019

Threat actors are actively exploiting a recently disclosed remote code execution vulnerability in PHP7.

Threat actors are actively exploiting a recently disclosed remote code execution vulnerability in PHP7, a popular programming language used to build websites. The flaw, tracked as CVE-2019-11043, affects websites running on NGINX web servers that have Hypertext Preprocessor FastCGI Process Manager (PHP-FPM) enabled. CVE-2019-11043 is easy to exploit as a remote attacker can take over a vulnerable web server or web application by sending a crafted request appended with the “?a=” in the URL. Due to a lack of checks on the configurations of NGINX and PHP-FPM, an attacker can modify content in the web server, embed them with malware, or use them as gateway into the organisation’s network. System administrators are strongly encouraged to update their PHP to 7.2.24 or 7.3.11 given that the vulnerability is trivial to exploit and a working proof-of-concept is available in GitHub. If patching is not feasible, organisations can use a web-application firewall to block “newline” (%0a or %0d) bytes in website URLs and prevent any incoming attacks.

References:

PHP Remote Code Execution 0-Day Discovered in Real World CTF Exercise

Urgent security issue in NGINX/php-fpm

PHuiP-FPizdaM (Exploit Code)

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Systems Integration

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence