Bug 2016535 (CVE-2021-21703) - CVE-2021-21703 php: Local privilege escalation via PHP-FPM
Summary: CVE-2021-21703 php: Local privilege escalation via PHP-FPM
Keywords:
Status: NEW
Alias: CVE-2021-21703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2017111 2018202 2018204 2017129 2018203
Blocks: 2016537
TreeView+ depends on / blocked
 
Reported: 2021-10-21 20:27 UTC by Pedro Sampaio
Modified: 2021-12-14 08:27 UTC (History)
6 users (show)

Fixed In Version: php 7.4.25, php 8.0.12
Doc Type: If docs needed, set a value
Doc Text:
php-fpm has a vulnerability which may lead to local privilege escalation. This vulnerability is hard to exploit as the attack needs to escape the FPM sandbox mechanism. When a complete attack is achieved it may lead to risk for confidentiality, data integrity, and system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-10-21 20:27:32 UTC
One can force the root FPM process to read/write at arbitrary locations using pointers located in the SHM, leading to a privilege escalation from www-data to root.

Upstream bug:

https://bugs.php.net/bug.php?id=81026

Comment 2 Marco Benatto 2021-10-25 17:40:06 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2017129]

Comment 4 Marco Benatto 2021-10-29 14:44:29 UTC
Upstream patch for this issue:
https://github.com/php/php-src/commit/fadb1f8c1d08ae62b4f0a16917040fde57a3b93b

Comment 5 Marco Benatto 2021-11-03 13:20:03 UTC
Currently PHP has a flaw on FPM scoreboard mechanism, which when leveraged by an attacker can lead to local privilege escalation. Currently PHP maintains several per-workers scoreboard related structures accessed indirectly by pointers to a shared memory mapping, if an attacker manage to escape FPM sandbox and overwrite those values it may gain control over these structures leading to a possible privilege escalation.
Such attack is high in complexity as, to be successful, the attacker needs to chain it with a sandbox escape exploit firstly or have access to the PHP host.

Comment 7 seferovic 2021-12-14 08:27:46 UTC
Hi, any info on when an errata will be published for this flaw? TIA!


Note You need to log in before you can comment on or make changes to this bug.