Tracking CVE-2019-11043 PHP Vulnerability – An Uncommon Chain of Events

On October 22, security researcher Omar Ganiev published a tweet regarding remote code execution vulnerability in PHP-FPM (the FastCGI Process Manager) running on the Nginx server. The tweet includes a link to a GitHub repository with an explanation of the vulnerability and a PoC (proof-of-concept) for its exploitation.

Vulnerable PHP versions are prior to PHP 7.3.11 (current stable), PHP 7.2.24 and PHP 7.1.33 (old stable). More details about the vulnerability can be found here.

A short timeline of the chain of events:

  • September 24: Github project opened
  • September 26: Vulnerability submitted
  • September 27: The first attack observed in Imperva CDN
  • October 21: Official vulnerability patch release
  • October 22: Tweet posted by the researcher
  • October 24 – Now: Media coverage

This timeline is unusual, however. As we had already had a mitigation rule in place before the attack was published, we had full visibility of the attacks, which allowed us to track them in the wild from the moment they began. In most cases, we would expect to see the release of a patch, followed by a PoC, before we started seeing attacks in the wild. 

Surprisingly, however, we found that exploits using the same script were carried out long before the release of the official patch. Though we can’t tell if it started as a private project or when the official patch was published, we can see on Github that the project was created on September 24. The early exploits, dating back to September 27, have a similar trace to the GitHub PoC, based on the unique HTTP payloads and the attacking application.

The first attempts to exploit the vulnerability used a VPN to cover the original IP and were from a single source to a single destination. After the public disclosure, we observed typical epidemical behavior – multiple early-adopters trying to scan the web for unpatched software.

FirstPHPFPizdec

First attack attempt, Shodan source-IP information

It’s also interesting to note the evolution of the variety of tools used to carry out the attack. While the original Github PoC was written in the Go language, we observed multiple different clients during the days following the release, indicating the emergence of variants to the original exploit. Some of the later attempts were made by browsers, probably as manual tests.

DayAttacking toolsNumber of Distinct IPsNumber of Distinct SitesNumber of Malicious Requests
2019-10-27GoLang, Python, cURL, Tor Browser, Chrome, Firefox391059946
2019-10-26GoLang, Python, cURL, Tor Browser, Chrome, Firefox1410012897
2019-10-25GoLang, Python, cURL, Tor Browser, WebKit13666942
2019-10-24GoLang, Python, cURL2214350067
2019-10-23GoLang, Python, cURL, Wget BusyBox, Firefox30454087
2019-10-22GoLang11184
2019-10-08GoLang11110
2019-09-27GoLang11110

Not surprisingly, the early-adopter-attacking IPs originate from Russia, USA and China. The rise of Vietnam on the map is pretty unusual, however.

Country CodeNumber of Malicious Requests
RU39629
US28954
VN27591
CN27131
IN7380
GB4377
NL2322
IE1738
FR837
CH736
PL681

Fortunately, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF.

And, going forward, they can rest assured that our Threat Research team will keep tracking this and other 0-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.

The post Tracking CVE-2019-11043 PHP Vulnerability – An Uncommon Chain of Events appeared first on Blog.


*** This is a Security Bloggers Network syndicated blog from Blog authored by Dima Bekerman. Read the original post at: https://www.imperva.com/blog/tracking-cve-2019-11043-php-vulnerability/