WP Tracking CVE-2019-11043 PHP Vulnerability - An Uncommon Chain of Events | Imperva

Archive

Tracking CVE-2019-11043 PHP Vulnerability – An Uncommon Chain of Events

Tracking CVE-2019-11043 PHP Vulnerability – An Uncommon Chain of Events

On October 22, security researcher Omar Ganiev published a tweet regarding remote code execution vulnerability in PHP-FPM (the FastCGI Process Manager) running on the Nginx server. The tweet includes a link to a GitHub repository with an explanation of the vulnerability and a PoC (proof-of-concept) for its exploitation.

Vulnerable PHP versions are prior to PHP 7.3.11 (current stable), PHP 7.2.24 and PHP 7.1.33 (old stable). More details about the vulnerability can be found here.

A short timeline of the chain of events:

  • September 24: Github project opened
  • September 26: Vulnerability submitted
  • September 27: The first attack observed in Imperva CDN
  • October 21: Official vulnerability patch release
  • October 22: Tweet posted by the researcher
  • October 24 – Now: Media coverage

This timeline is unusual, however. As we had already had a mitigation rule in place before the attack was published, we had full visibility of the attacks, which allowed us to track them in the wild from the moment they began. In most cases, we would expect to see the release of a patch, followed by a PoC, before we started seeing attacks in the wild. 

Surprisingly, however, we found that exploits using the same script were carried out long before the release of the official patch. Though we can’t tell if it started as a private project or when the official patch was published, we can see on Github that the project was created on September 24. The early exploits, dating back to September 27, have a similar trace to the GitHub PoC, based on the unique HTTP payloads and the attacking application.

The first attempts to exploit the vulnerability used a VPN to cover the original IP and were from a single source to a single destination. After the public disclosure, we observed typical epidemical behavior – multiple early-adopters trying to scan the web for unpatched software.

FirstPHPFPizdec

First attack attempt, Shodan source-IP information

It’s also interesting to note the evolution of the variety of tools used to carry out the attack. While the original Github PoC was written in the Go language, we observed multiple different clients during the days following the release, indicating the emergence of variants to the original exploit. Some of the later attempts were made by browsers, probably as manual tests.

Day Attacking tools Number of Distinct IPs Number of Distinct Sites Number of Malicious Requests
2019-10-27 GoLang, Python, cURL, Tor Browser, Chrome, Firefox 39 105 9946
2019-10-26 GoLang, Python, cURL, Tor Browser, Chrome, Firefox 14 100 12897
2019-10-25 GoLang, Python, cURL, Tor Browser, WebKit 13 66 6942
2019-10-24 GoLang, Python, cURL 22 143 50067
2019-10-23 GoLang, Python, cURL, Wget BusyBox, Firefox 30 45 4087
2019-10-22 GoLang 1 1 184
2019-10-08 GoLang 1 1 110
2019-09-27 GoLang 1 1 110

Not surprisingly, the early-adopter-attacking IPs originate from Russia, USA and China. The rise of Vietnam on the map is pretty unusual, however.

Country Code Number of Malicious Requests
RU 39629
US 28954
VN 27591
CN 27131
IN 7380
GB 4377
NL 2322
IE 1738
FR 837
CH 736
PL 681

Fortunately, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF.

And, going forward, they can rest assured that our Threat Research team will keep tracking this and other 0-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.