Bug 1081790 (CVE-2015-9253) - VUL-0: CVE-2015-9253: php5, php53, php7: The php-fpm master process restarts a child process in an endless loop when using program execution functions
Summary: VUL-0: CVE-2015-9253: php5, php53, php7: The php-fpm master process restarts ...
Status: RESOLVED FIXED
Alias: CVE-2015-9253
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/200436/
Whiteboard: CVSSv3:SUSE:CVE-2015-9253:6.5:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-20 14:58 UTC by Karol Babioch
Modified: 2022-03-29 13:45 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-02-20 14:58:30 UTC
CVE-2015-9253

An issue was discovered in PHP through 7.2.2. The php-fpm master process
restarts a child process in an endless loop when using program execution
functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking
STDIN stream, causing this master process to consume 100% of the CPU, and
consume disk space with a large volume of error logs, as demonstrated by an
attack by a customer of a shared-hosting facility.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9253
https://www.futureweb.at/Futureweb-OG-php-fpm-master-process-restarts-child-process-in-a_pid,54177,type,firmeninfo.html
https://bugs.php.net/bug.php?id=75968
https://bugs.php.net/bug.php?id=70185
Comment 1 Karol Babioch 2018-02-20 15:44:24 UTC
These codestreams are not affected, since we do not ship fpm there:

- SUSE:SLE-10-SP3:Update
- SUSE:SLE-11:Update 

Affected:

- SUSE:SLE-11-SP3:Update (php53)
- SUSE:SLE-12:Update (php5, php7)
Comment 2 Petr Gajdos 2018-02-23 09:14:49 UTC
This does not seem to have a solution for a long time. The newer bug is private now, I will try to follow it on php-security@ for some time.
Comment 5 Petr Gajdos 2018-02-25 10:02:54 UTC
https://bugs.php.net/bug.php?id=75968

is now public, points to another bug:

https://bugs.php.net/bug.php?id=73342
(with patch included)
Comment 6 Petr Gajdos 2018-03-02 12:55:03 UTC
No news in upstream bugs. I tried at least reproduce the bug. I did on leap 42.3.

$ git clone https://github.com/pgajdos/apache-rex.git
$ cd apache-rex
$ ./run-rex mod_proxy_fcgi-php-fpm
 [..]
See for details: /tmp/apache-rex/mod_proxy_fcgi-php-fpm
 [..]
$ cd /tmp/apache-rex/mod_proxy_fcgi-php-fpm
$ /usr/sbin/php-fpm --fpm-config $PWD/php-fpm.conf
$ /usr/sbin/httpd -f $PWD/httpd.conf
$ curl -s http://localhost:60080/poc.php

see ./php-fpm.log is filling with

[02-Mar-2018 13:13:06] NOTICE: [pool www] child 9793 started
[02-Mar-2018 13:13:06] NOTICE: [pool www] child 9793 exited with code 0 after 0.001849 seconds from start
Comment 7 Petr Gajdos 2018-03-02 13:03:36 UTC
Do you see a reason why this is a security bug?(In reply to Petr Gajdos from comment #6)
> No news in upstream bugs. I tried at least reproduce the bug. I did on leap
> 42.3.
> 
> $ git clone https://github.com/pgajdos/apache-rex.git
> $ cd apache-rex
> $ ./run-rex mod_proxy_fcgi-php-fpm
>  [..]
> See for details: /tmp/apache-rex/mod_proxy_fcgi-php-fpm
>  [..]
> $ cd /tmp/apache-rex/mod_proxy_fcgi-php-fpm
> $ /usr/sbin/php-fpm --fpm-config $PWD/php-fpm.conf
$ echo "<?php stream_set_blocking(fopen('php://stdin', 'r'), false); ?>" > htdocs/poc.php
> $ /usr/sbin/httpd -f $PWD/httpd.conf
> $ curl -s http://localhost:60080/poc.php
> 
> see ./php-fpm.log is filling with
> 
> [02-Mar-2018 13:13:06] NOTICE: [pool www] child 9793 started
> [02-Mar-2018 13:13:06] NOTICE: [pool www] child 9793 exited with code 0
> after 0.001849 seconds from start
Comment 8 Petr Gajdos 2018-03-02 13:04:00 UTC
Do you see a reason why this is a security bug?
Comment 9 Karol Babioch 2018-03-02 13:14:38 UTC
At the very least you can (1) spam the syslog with error logs about php-fpm constantly respawning. You can easily create several MBs of logs per second, which will lead to DoS due to missing disk space pretty quick.

This might be a problem for shared hosting providers, etc. While there might be means to mitigations to restrict CPU usage, syslog´usage usually is not restricted.

Furthermore (2) you'll burn CPU cycles since the respawning of php-fpm processes will take up to 100% of CPU time.
Comment 10 Petr Gajdos 2018-03-10 13:16:16 UTC
Okay, understand.

No news in the upstream bugs, suspending.
Comment 11 Petr Gajdos 2018-05-11 20:44:37 UTC
No fix upstream or downstream horizon as far as I can see.
Comment 12 Petr Gajdos 2018-05-11 20:49:16 UTC
(Patch from the upstream bug is not applied.)
Comment 14 Wolfgang Frisch 2020-05-26 16:55:50 UTC
(In reply to Petr Gajdos from comment #5)
> https://bugs.php.net/bug.php?id=75968
> 
> is now public, points to another bug:
> 
> https://bugs.php.net/bug.php?id=73342
> (with patch included)

In the meantime bug 73342 was marked as a duplicate of 75968 and the change in 73342 was accepted into PHP 7.1.x:

https://github.com/php/php-src/commit/69dee5c732fe982c82edb17d0dbc3e79a47748d8
Comment 16 Petr Gajdos 2022-02-15 13:47:37 UTC
Submitted for 15/php7, 12/php72, 11sp3/php53.

I believe all fixed.
Comment 18 Petr Gajdos 2022-02-15 14:50:51 UTC
7.4+ have this fix in.
Comment 19 Swamp Workflow Management 2022-02-25 23:18:42 UTC
SUSE-SU-2022:0577-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1038980,1081790,1193041
CVE References: CVE-2015-9253,CVE-2017-8923,CVE-2021-21707
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.75.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-03-02 23:19:42 UTC
openSUSE-SU-2022:0679-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1038980,1081790,1192050,1193041
CVE References: CVE-2015-9253,CVE-2017-8923,CVE-2021-21703,CVE-2021-21707
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    php7-7.2.5-4.89.4
Comment 21 Swamp Workflow Management 2022-03-02 23:20:42 UTC
SUSE-SU-2022:0679-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1038980,1081790,1192050,1193041
CVE References: CVE-2015-9253,CVE-2017-8923,CVE-2021-21703,CVE-2021-21707
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    php7-7.2.5-4.89.4
SUSE Linux Enterprise Server for SAP 15 (src):    php7-7.2.5-4.89.4
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    php7-7.2.5-4.89.4
SUSE Linux Enterprise Server 15-SP1-BCL (src):    php7-7.2.5-4.89.4
SUSE Linux Enterprise Server 15-LTSS (src):    php7-7.2.5-4.89.4
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    php7-7.2.5-4.89.4
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    php7-7.2.5-4.89.4
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    php7-7.2.5-4.89.4
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    php7-7.2.5-4.89.4
SUSE Enterprise Storage 6 (src):    php7-7.2.5-4.89.4
SUSE CaaS Platform 4.0 (src):    php7-7.2.5-4.89.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Wolfgang Frisch 2022-03-29 13:45:23 UTC
Released.