Tech Support
Documentation
Login
Contact Us
Multiple PHP 7.4 Vulnerabilities Addressed in Debian 11
Rohan Timalsina
April 29, 2024 - TuxCare expert team
Debian 11 was first released on August 14th, 2021 with PHP version 7.4, which has already reached the end of life. This means PHP 7.4 will no longer receive official updates and security fixes from the PHP development team. However, the Debian security team provides fixes for PHP 7.4 as Debian 11 still uses PHP 7.4 as the default version. Recently, multiple PHP 7.4 vulnerabilities have been addressed in Debian 11, which could result in secure cookie bypass, XXE attacks, or incorrect validation of password hashes.
Recent PHP 7.4 Vulnerabilities Fixed
CVE-2023-3823 (CVSS v3 Score: 7.5 High)
In PHP, various XML functions depend on the libxml global state to manage configuration variables, such as the loading of external entities. This state is typically assumed to remain unchanged unless specifically modified by the user through appropriate function calls. However, because this state is shared across the entire process, other modules like ImageMagick, which also utilize the same library within the same process, may inadvertently alter this global state for their own internal needs. Consequently, the global state might be left in a state where loading external entities is enabled.
This scenario can result in the unintended parsing of external XML files with loaded external entities, potentially exposing local files accessible to PHP. This vulnerability may persist across multiple requests within the same process until the process is terminated.
CVE-2023-3824 (CVSS v3 Score: 9.8 Critical)
When loading a Phar file and reading PHAR directory entries, inadequate length checking could result in a stack buffer overflow. This PHP 7.4 vulnerability could potentially lead to memory corruption or remote code execution (RCE).
CVE-2024-2756 (CVSS v3 Score: 6.5 Medium)
This issue stems from PHP’s handling of HTTP variable names. An attacker can exploit this by setting a standard insecure cookie in the victim’s browser, which PHP applications mistakenly interpret as a __Host- or __Secure- cookie. It’s worth noting that this vulnerability persists due to an incomplete fix for #VU67756 (CVE-2022-31629).
CVE-2024-3096 (CVSS v3 Score: 4.8 Medium)
The vulnerability arises from an error within the password_verify() function, potentially leading to incorrect true returns. Exploiting this flaw, a remote attacker could circumvent implemented authentication mechanisms relying on this vulnerable function, thus gaining unauthorized access to the web application.
Mitigation Measures
Despite PHP 7.4 reaching its end-of-life status, Debian continues to utilize it as the default PHP version. The good news is that the Debian security team has addressed PHP 7.4 vulnerabilities in Debian 11 through version 7.4.33-1+deb11u5. Upgrading your PHP 7.4 packages to this patched version is highly recommended to ensure your system’s security.
Securing Your End-of-Life Linux Systems
These vulnerabilities not only affect PHP 7.4 version, but also other different PHP versions. These include PHP versions used in end-of-life operating systems, such as CentOS (6, 7, and 8), Ubuntu 16.04, Ubuntu 18.04, CloudLinux 6, and Oracle Linux 6. To secure these systems, you can utilize TuxCare’s Extended Lifecycle Support which provides security patches for additional years after the EOL. Also, these issues have been already fixed in Extended Lifecycle Support. For more information about vulnerabilities and their patch status, you can visit cve.tuxcare.com.
TuxCare also provides security patching for end-of-life PHP versions so that your applications can run smoothly and securely without massive code refactoring. Learn more about Extended Lifecycle Support for PHP.
Source: DSA 5660-1
