#VU34944 Out-of-bounds read in PHP and Debian Linux - CVE-2019-11046

Cybersecurity Help s.r.o.

Published: 2019-12-23 | Updated: 2020-08-08

Vulnerability identifier: #VU34944

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-11046

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages
Debian Linux
Operating systems & Components / Operating system

Vendor: PHP Group
Debian

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 7.4.0

Debian Linux: 7.4.0 - 8.0

External links
https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
https://bugs.php.net/bug.php?id=78878
https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
https://seclists.org/bugtraq/2020/Feb/27
https://seclists.org/bugtraq/2020/Feb/31
https://security.netapp.com/advisory/ntap-20200103-0002/
https://support.f5.com/csp/article/K48866433?utm_source=f5support&utm_medium=RSS
https://usn.ubuntu.com/4239-1/
https://www.debian.org/security/2020/dsa-4626
https://www.debian.org/security/2020/dsa-4628

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Tenable.sc

Debian update for php7.0

Debian update for php7.3

OpenSUSE Linux update for php7

Fedora 31 update for php

Fedora 30 update for php