Plattform
php
Komponente
php
Behoben in
7.2.34
7.3.23
7.4.11
CVE-2020-7069 is a security vulnerability affecting PHP versions 7.2.x prior to 7.2.34, 7.3.x prior to 7.3.23, and 7.4.x prior to 7.4.11. This flaw arises when the AES-CCM encryption mode is utilized with the openssl_encrypt() function and a 12-byte Initialization Vector (IV). Due to a defect, only the first 7 bytes of the IV are actually used, potentially compromising the integrity and confidentiality of the encrypted data. A fix is available in PHP 7.4.11.
The core impact of CVE-2020-7069 lies in the weakened encryption provided by AES-CCM. By only using the first 7 bytes of the 12-byte IV, the effective key space is significantly reduced. This makes it easier for an attacker to potentially decrypt or forge encrypted data. While a full decryption is unlikely, the reduced entropy increases the risk of information leakage or manipulation. This could lead to unauthorized access to sensitive data, such as user credentials, financial information, or proprietary business data, depending on how PHP is used within an application. The vulnerability is particularly concerning in applications that rely heavily on encryption for data protection, such as e-commerce platforms or secure communication systems.
CVE-2020-7069 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate widespread exploitation. However, the vulnerability's nature—weakening a standard encryption algorithm—makes it a potential target for sophisticated attackers. The vulnerability was publicly disclosed on October 2, 2020, coinciding with the CVE publication date.
Applications relying on PHP's openssl_encrypt() function with AES-CCM and using 12-byte IVs are at risk. This includes web applications handling sensitive data such as financial transactions, user credentials, or personal information. Shared hosting environments using vulnerable PHP versions are particularly susceptible, as they may lack the ability to quickly patch their PHP installations.
• php / server:
find /var/www/html -name "openssl_encrypt.php" -print0 | xargs -0 grep -i "openssl_encrypt\(" -B 5• php / server:
journalctl -u php7.4 -grep "AES-CCM"• php / server:
ps aux | grep -i openssl_encryptdisclosure
patch
Exploit-Status
EPSS
8.35% (92% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2020-7069 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.11 or later. If upgrading is not immediately feasible, consider implementing workarounds to reduce the risk. While a direct workaround isn't possible within the openssl_encrypt() function itself, ensure that any applications using AES-CCM are not handling highly sensitive data where even a slight reduction in encryption strength is unacceptable. Review application code to identify where AES-CCM is used and assess the potential impact. Consider using a different encryption mode with a larger IV size if possible. After upgrading, confirm the fix by attempting to encrypt and decrypt data using AES-CCM with a 12-byte IV and verifying that the full IV is utilized.
Aktualisieren Sie auf die neueste PHP-Version. Aktualisieren Sie insbesondere auf Version 7.2.34, 7.3.23 oder 7.4.11 oder höher, je nach der verwendeten PHP-Version. Dies behebt die Schwachstelle in der Funktion openssl_encrypt() bei Verwendung des AES-CCM-Modus mit einem 12-Byte-IV.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-7069 is a medium severity vulnerability in PHP affecting versions 7.2.x, 7.3.x, and 7.4.x where only 7 bytes of a 12-byte IV are used in AES-CCM encryption, weakening security.
You are affected if you are using PHP versions 7.2.0–7.2.33, 7.3.0–7.3.22, or 7.4.0–7.4.10 and utilizing AES-CCM encryption with a 12-byte IV.
Upgrade to PHP 7.4.11 or later to resolve the vulnerability. If immediate upgrade is not possible, consider workarounds like limiting IV length to less than 8 bytes.
While no confirmed active exploitation campaigns are publicly known, the potential for data compromise makes it a potential target for attackers.
Refer to the official PHP security advisory at https://www.php.net/security/advisory-2020-10-02.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.