CVE-2021-21703 in Communications Diameter Signaling Router
Summary
by MITRE • 10/25/2021
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/22/2022
This vulnerability exists within the PHP FastCGI Process Manager implementation and represents a critical privilege escalation flaw affecting multiple PHP version streams. The issue manifests when PHP FPM operates with a master daemon process running with root privileges while child worker processes execute under less privileged accounts. This architectural configuration creates an exploitable memory sharing scenario where unprivileged child processes can manipulate memory segments that are shared with the root-privileged main process. The vulnerability stems from improper memory management and access control mechanisms within the FPM SAPI implementation, specifically during the handling of shared memory regions between parent and child processes.
The technical exploitation occurs through memory corruption techniques that allow unprivileged users to write to memory areas that should be restricted to the root process. When child worker processes access shared memory segments, they can perform invalid memory reads and writes that compromise the integrity of the root process. This memory corruption can be leveraged to manipulate critical system functions and ultimately achieve root privilege escalation. The flaw is particularly dangerous because it operates at the kernel level memory management boundaries, where the separation between privileged and unprivileged execution contexts becomes compromised. This vulnerability directly relates to CWE-121 and CWE-122 categories, which address stack and heap-based buffer overflows, and also maps to ATT&CK technique T1068 for privilege escalation through local exploits.
The operational impact of this vulnerability is severe as it enables local users to gain complete system control without requiring any external network access or authentication. Any user with local access to a system running affected PHP FPM configurations can exploit this flaw to elevate their privileges to root level, potentially leading to full system compromise. The vulnerability affects web servers and applications that rely on PHP FPM for processing requests, making it particularly dangerous in production environments where PHP FPM is commonly deployed. Attackers can leverage this privilege escalation to install persistent backdoors, modify system files, access sensitive data, or establish persistent access to the compromised system. Organizations running affected PHP versions in production environments face significant risk of unauthorized system compromise, especially in multi-tenant hosting environments or shared hosting scenarios where multiple users may have local access to the system.
Mitigation strategies should prioritize immediate patching of all affected PHP versions to the latest stable releases. System administrators should ensure that PHP FPM configurations do not run the master process as root, instead using dedicated non-privileged users for the main daemon while maintaining appropriate privilege separation. Additionally, implementing proper process isolation and memory access controls can help prevent exploitation attempts. Organizations should conduct comprehensive vulnerability assessments to identify all systems running affected PHP FPM configurations and implement monitoring for suspicious privilege escalation attempts. The use of containerization with proper user namespace isolation and privilege dropping mechanisms can provide additional defense in depth. Regular security audits of PHP FPM configurations and access control policies should be implemented to prevent similar vulnerabilities from emerging in future deployments.