Roundup: [oss-security] Re: CVE Request: PHP with Zend OPCache code permission/sensitive data protection vulnerability

[grahamc]

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

• [ ] Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003e62

• File Search: https://search.nix.gsc.io/?q=php&i=fosho&repos=nixos-nixpkgs
• GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=php+in%3Apath&type=Code

Should the search term be changed from php? Suggest a new package search by commenting:

-suggested:php +suggested:correctPackageName thread:0000000000003e62

Known CVEs: CVE-2015-8994

---

Skip to End

Mon, 27 Feb 2017 16:52:58 -0600 php-dev-at-coydogsoftware.net, 20170227225258.GA13043@sliver.coydogsoftware.net

Hello,

This never got a response the first time I submitted it. PHP maintainers
recognize the vulnerability, and added an undocumented non-default
setting which mitigates it. Please assign a CVE if possible.

To briefly summarize, in PHP SAPI's where PHP interpreters share a
common parent process (eg. Apache mod_php and PHP-FPM), Zend OpCache
creates a shared memory object owned by the common parent during
initialization. Child PHP processes inherit the SHM descriptor, using it
to cache and retrieve compiled script bytecode ("opcode" in PHP jargon).
Cache keys vary depending on configuration, but filename is a central
key component, and compiled opcode can generally be run if a script's
filename is known or can be guessed.

Many common shared hosting configurations change EUID in child processes
to enforce privilege separation among hosted users. In these scenarios,
default Zend OpCache behavior defeats script file permissions by sharing
a single SHM cache among all child PHP processes.

PHP scripts often contain sensitive information: Think of CMS
configurations where reading or running another user's script usually
means gaining privileges to the CMS database.

AFFECTED VERSIONS:
PHP7 < 7.0.14 and PHP5 < 5.6.29. Later versions are still vulnerable by
default unless opcache.validate_permission=1 is enabled.

AFFECTED COMPONENT:
Zend OpCache

VULNERABILITY TYPE:
Code permission/sensitive information disclosure

IMPACT:
Cross-user compromise of PHP web applications in shared hosting
environments.

Let me know if more details are needed, and feel free to contact me
privately if proof of concept is needed.

REFERENCES:
http://marc.info/?l=php-internals&m=147921016724565&w=2
https://bugs.php.net/bug.php?id=69090
http://seclists.org/oss-sec/2016/q4/343

--
php-dev at coydogsoftware dot net

Skip to End

---

Tue, 28 Feb 2017 05:08:06 -0600 php-dev-at-coydogsoftware.net, 20170228110806.GA541@sliver.coydogsoftware.net

On Mon, Feb 27, 2017 at 04:52:58PM -0600, php-dev@coydogsoftware.net wrote:
> 
> To briefly summarize, in PHP SAPI's where PHP interpreters share a
> common parent process (eg. Apache mod_php and PHP-FPM), Zend OpCache
> creates a shared memory object owned by the common parent during
> initialization. Child PHP processes inherit the SHM descriptor, using it
> to cache and retrieve compiled script bytecode ("opcode" in PHP jargon).
> Cache keys vary depending on configuration, but filename is a central
> key component, and compiled opcode can generally be run if a script's
> filename is known or can be guessed.
> 
> Many common shared hosting configurations change EUID in child processes
> to enforce privilege separation among hosted users. In these scenarios,
> default Zend OpCache behavior defeats script file permissions by sharing
> a single SHM cache among all child PHP processes.
> 
> PHP scripts often contain sensitive information: Think of CMS
> configurations where reading or running another user's script usually
> means gaining privileges to the CMS database.
> 
>  
> AFFECTED VERSIONS:
> PHP7 < 7.0.14 and PHP5 < 5.6.29. Later versions are still vulnerable by
> default unless opcache.validate_permission=1 is enabled.
> 
> AFFECTED COMPONENT:
> Zend OpCache
> 
> VULNERABILITY TYPE:
> Code permission/sensitive information disclosure
> 
> IMPACT:
> Cross-user compromise of PHP web applications in shared hosting
> environments.
> 
> REFERENCES:
> http://marc.info/?l=php-internals&m=147921016724565&w=2
> https://bugs.php.net/bug.php?id=69090
> http://seclists.org/oss-sec/2016/q4/343

This has been assigned CVE-2015-8994 via cveform.mitre.org.

--
php-dev at coydogsoftware dot net

Skip to End

---

[Mic92]

fixed: unstable: 405e117d310b2c1e3b281623de2aafca42045a55 and 35fdfd88d4e2f56e243ff8f4d803f9320b23cf9c release-17.03: 405e117d310b2c1e3b281623de2aafca42045a55 and 35fdfd88d4e2f56e243ff8f4d803f9320b23cf9c release-16.09: 43654d35b8d104e378d4875cff2839aea543e9bb and 2f6f53ed77881d8d8729b5632b4ad5f1d53d009e

[grahamc]

Thank you!