FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-9026

Improper Output Neutralization for Logs (CWE-117)

Published: Oct 8, 2024 / Updated: 42d ago

010
CVSS 3.3EPSS 0.04%Low
CVE info copied to clipboard

Summary

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Impact

This vulnerability allows an attacker to manipulate log message content, potentially polluting the final log or removing up to 4 characters from log messages. If PHP-FPM is configured to use syslog output, additional log data removal may be possible. This could lead to the concealment of malicious activities or the creation of misleading audit trails, compromising the integrity and reliability of system logs.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in PHP versions 8.1.30, 8.2.24, and 8.3.12.

Mitigation

1. Update PHP to the latest patched versions: 8.1.30, 8.2.24, or 8.3.12, depending on your current major version. 2. If immediate updating is not possible, consider disabling the catch_workers_output feature in PHP-FPM configuration if it's not critically needed. 3. If using syslog output with PHP-FPM, monitor logs closely for any signs of manipulation or data removal until the patch can be applied. 4. Implement additional logging and monitoring solutions that are separate from PHP-FPM to ensure comprehensive and tamper-resistant logging.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9026. See article

Sep 26, 2024 at 2:12 PM / news-web.php.net: php.internals
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514132)

Sep 27, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514133)

Sep 27, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (38961)

Sep 27, 2024 at 7:53 AM
Threat Intelligence Report

CVE-2024-9026 is a critical vulnerability that allows an attacker to alter logs from child processes due to an unspecified error, potentially compromising the integrity of logging mechanisms. The details regarding exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors are not provided in the available information. Further investigation is necessary to assess the full implications and risks associated with this vulnerability. See article

Sep 28, 2024 at 12:25 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6021340)

Oct 1, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207997)

Oct 1, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (286178)

Oct 2, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208018)

Oct 2, 2024 at 11:15 AM
Static CVE Timeline Graph

Affected Systems

Php-fpm/php-fpm
+null more

Exploits

https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1070: Indicator Removal on Host
+null more

Attack Patterns

CAPEC-268: Audit Log Manipulation
+null more

Vendor Advisory

CVE-2024-9026
Red Hat CVE Database / 42d
Red Hat Enterprise Linux 7 - php - Fix deferred Red Hat Enterprise Linux 8 - php:7.4/php - Fix deferred

References

Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
Cyber Security Advisories - MS-ISAC / 50d
OS Command Injection: The vulnerability allows a remote attacker to send specially crafted HTTP request to the application and execute arbitrary OS commands on the system due to improper input validation in PHP-CGI implementation. Security features bypass: The vulnerability allows a remote attacker to bypass implemented security restriction and gain unauthorized access to the application due to environment variable collision, which can lead to cgi.force_redirect bypass.
📢 Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
Dragon Security Threat Intelligence Feed / 53d
OS Command Injection: The vulnerability allows a remote attacker to send specially crafted HTTP request to the application and execute arbitrary OS commands on the system due to improper input validation in PHP-CGI implementation. Security features bypass: The vulnerability allows a remote attacker to bypass implemented security restriction and gain unauthorized access to the application due to environment variable collision, which can lead to cgi.force_redirect bypass.

News

Prepare NEWS for 8.4.0
Recent Commits to php-src:master / 12h
Fixed bug GH-16265 (Added early return case when result is 0) (Saki Takamachi). Fixed missing error when adding asymmetric visibility to static properties.
Fedora 41 : php (2024-a03b06dbd0)
Newest Plugins from Tenable / 5d
The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-a03b06dbd0 advisory. The remote Fedora host is missing one or more security updates.
Fix 8.4 NEWS file
Recent Commits to php-src:master / 11d
Fixed bug GH-16265 (Added early return case when result is 0) (Saki Takamachi). Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
Merge branch 'PHP-8.3' into PHP-8.4
Recent Commits to php-src:master / 12d
Fixed bug GH-16265 (Added early return case when result is 0) (Saki Takamachi). Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
microsoft_mariner CVE-2024-9026: CVE-2024-9026
Recently Released Plugin Pipeline from Tenable / 17d
Released Last Updated: 11/3/2024 CVEs: CVE-2024-9026 Plugins: 210121
See 78 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

CVSS 3.3(3245)CWE-117(81)CWE-158(12)Php-fpm(5)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial