{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2020-018.pdf" }, "title": "Serious PHP Vulnerability", "serial_number": "2020-018", "publish_date": "03-04-2020 12:31:00", "description": "In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using \"mb_strtolower()\" function with \"UTF-32LE\" encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes, and potentially code execution. No exploits have been observed for the moment.", "url_title": "2020-018", "content_markdown": "---\ntitle: 'Serious PHP Vulnerability'\nversion: '1.0'\nnumber: '2020-018'\ndate: 'April 03, 2020'\n---\n\n_History:_\n\n* _03/04/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nIn PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using `mb_strtolower()` function with `UTF-32LE` encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes, and potentially code execution [1]. No exploits have been observed for the moment.\n\n# Technical Details\n\nA call to `mb_strtolower()` allows overwriting of a stack-allocated buffer with an overflown array from `.rodata` (the read-only data segment in memory). It seems that size is well-controlled by an attacker in the range 512-1020, while the data to overwrite with are much less controlled [2].\n\n# Products Affected\n\n The vulnerability was coded as CVE-2020-7065 and it affects PHP versions 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 7.3.10, 7.3.11, 7.3.12, 7.3.13, 7.3.14, 7.4.0, 7.4.1, 7.4.2 [3]\n\n# Recommendations\n\nPHP has released a patch for this vulnerability [4]. It is strongly advised to update to the version 7.4.4 to fix this vulnerability as soon as possible.\n\n# References\n\n[1] \n\n[2] \n\n[3] \n\n[4] \n", "content_html": "

History:

  • 03/04/2020 --- v1.0 -- Initial publication

Summary

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes, and potentially code execution [1]. No exploits have been observed for the moment.

Technical Details

A call to mb_strtolower() allows overwriting of a stack-allocated buffer with an overflown array from .rodata (the read-only data segment in memory). It seems that size is well-controlled by an attacker in the range 512-1020, while the data to overwrite with are much less controlled [2].

Products Affected

The vulnerability was coded as CVE-2020-7065 and it affects PHP versions 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 7.3.10, 7.3.11, 7.3.12, 7.3.13, 7.3.14, 7.4.0, 7.4.1, 7.4.2 [3]

Recommendations

PHP has released a patch for this vulnerability [4]. It is strongly advised to update to the version 7.4.4 to fix this vulnerability as soon as possible.

References

[1] https://www.suse.com/security/cve/CVE-2020-7065/

[2] https://bugs.php.net/bug.php?id=79371&edit=3

[3] https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-7065

[4] https://www.php.net/ChangeLog-7.php#7.4.4l

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }