search

mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
8.89k stars 1.17k forks source link

CVE-2019-11043: PHP-FPM arbitrary code execution vulnerability #3091

Closed immanuelfodor closed 5 years ago

immanuelfodor commented 5 years ago

There is a new PHP/nginx vulnerability that might affect Mailcow as well as there are many fastcgi_split_path_info results in this repo for a quick search.

PHP bugtracker: https://bugs.php.net/bug.php?id=78599 Exploit PoC: https://github.com/neex/phuip-fpizdam An example vulnerable docker-compose env: https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043

The solution according to this article is:

On October 24, PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) were released to address this vulnerability along with other scheduled bug fixes. Those using nginx with PHP-FPM are encouraged to upgrade to a patched version as soon as possible.

If patching is not feasible, the suggested workaround is to include checks to verify whether or not a file exists. This is achieved either by including the try_files directive or using an if statement, such as if (-f $uri).

After a fresh ./update.sh the version is (@ Fri Oct 25 08:00:17 CEST 2019):

docker-compose exec php-fpm-mailcow php -v
# PHP 7.3.10 (cli) (built: Oct  4 2019 23:31:43) ( NTS )
# Copyright (c) 1997-2018 The PHP Group
# Zend Engine v3.3.10, Copyright (c) 1998-2018 Zend Technologies
#    with Zend OPcache v7.3.10, Copyright (c) 1999-2018, by Zend Technologies

This is how Nextcloud handles the issue: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

andryyy commented 5 years ago

Thanks, will push a new image in a bit. :)

immanuelfodor commented 5 years ago

Wow, that was quick, thanks! Updated, but the PHP version seems to be the same:

docker-compose exec php-fpm-mailcow php -v
# PHP 7.3.10 (cli) (built: Oct  4 2019 23:31:43) ( NTS )
# Copyright (c) 1997-2018 The PHP Group
# Zend Engine v3.3.10, Copyright (c) 1998-2018 Zend Technologies
#     with Zend OPcache v7.3.10, Copyright (c) 1999-2018, by Zend Technologies
ntimo commented 5 years ago

I just checked there is no php 7.3.11 package for alpine 3.10 yet. https://pkgs.alpinelinux.org/packages?name=php7&branch=v3.10 . Thats probably why the base image is we use for phpfpm is not yet up to date.

immanuelfodor commented 5 years ago

It seems there is an open PR here: https://github.com/alpinelinux/aports/pull/11979

ntimo commented 5 years ago

Okay I checked further the upstream image: https://hub.docker.com/_/php?tab=tags&page=1&name=7.3-fpm-alpine3.10 has been updated 35 minutes ago. With the new version. I think @andryyy has to rebuild once more :)

docker run --rm -it php:7.3-fpm-alpine3.10 php --version
PHP 7.3.11 (cli) (built: Oct 25 2019 03:29:07) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.11, Copyright (c) 1998-2018 Zend Technologies
mfs100 commented 5 years ago

Just a remark: All the locations found by OPs search have a "try_files" clause which should protect against exploitation of this vulnerability. I think only the nextcloud could be affected. Updating the FPM is still a good idea anyways.

andryyy commented 5 years ago

Will be pushed in a bit.

ntimo commented 5 years ago

Fixed by https://github.com/mailcow/mailcow-dockerized/commit/e101900787f839d11f6dc1d0d62f9b053c0f45a9