CVE-2019-11043
Published: 28 October 2019
Summary
CVE-2019-11043 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a buffer overflow condition, tracked as CWE-120 and CWE-787, that affects the PHP FastCGI Process Manager (FPM) component in versions 7.1.x prior to 7.1.33, 7.2.x prior to 7.2.24, and 7.3.x prior to 7.3.11. In specific FPM configurations, the module can write beyond allocated buffers into memory reserved for FCGI protocol data, creating conditions that enable remote code execution. The issue received a CVSS 3.1 base score of 8.7.
Remote attackers without authentication can trigger the flaw over the network when the vulnerable FPM setup is reachable, achieving code execution that impacts confidentiality and integrity with a scope change, although successful exploitation requires high attack complexity.
Vendor advisories and errata from Red Hat, openSUSE, and other distributions address the issue through updated PHP packages that correct the buffer handling in FPM; organizations are advised to apply the corresponding fixes for the affected versions. Public exploit code demonstrating the remote code execution path has been published.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-2751
Vulnerability details
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus…
more
opening the possibility of remote code execution.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that eliminate the buffer overflow in PHP FPM.
Implements memory protections that block unauthorized code execution resulting from the out-of-bounds write.
Enforces least functionality by disabling or restricting FPM configurations that expose the vulnerable code path.