The vulnerability allows a low-privilege user to escalate his privileges to root using a bug in PHP-FPM.
PHP is one of the most commonly used programming languages on the planet. As you know it is a programming language originally designed for use in web-based applications with HTML content.
PHP powers 78.4% of the web, including popular content management systems like WordPress, Drupal, and Joomla. The main reason behind this is PHP’s open-source nature, lightweight structure, and developer-friendly yet powerful features.
Security researchers are warning that a PHP-FPM local privilege escalation vulnerability impacting PHP could put millions of websites at risk. The vulnerability allows the root FPM process to read/write at arbitrary locations using pointers located in the SHM (Shared memory), leading to a privilege escalation from www-data to root. And this has been present for 10 years.
Related: How to Configure Nginx to Work with PHP via PHP-FPM
What are the affected PHP versions? This is possible in PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP-FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users.
Just for your information, here’s the percentage of PHP versions being used worldwide as of July, 2021.
If you’re wondering if you are vulnerable, here’s the answer. If you are using Apache and PHP, you might be using PHP-FPM. To be sure, you need to check on your server if Apache runs PHP as a module or via PHP-FPM. However if you’re using NGINX and PHP, you are using PHP-FPM. Therefore you are vulnerable.
Luckily this vulnerability was fixed in PHP’s versions 8.0.12 and 7.4.25. So if you are running a version of PHP-FPM which is among those vulnerable, please update immediately to the highest version in your release branch.
It was patched 21st of October 2021 by the guys at PHP.NET.
The bug report, there wasn’t any explot provided. Just a bad imple.entation poined out and a theoretical scenario. However it has to be patched, indeed.
GT, thanks for your shitty explanation. I left here dumber than when I arrived.