Platform
php
Component
php
Fixed in
7.2.34
7.3.23
7.4.11
CVE-2020-7069 is a security vulnerability affecting PHP versions 7.2.x prior to 7.2.34, 7.3.x prior to 7.3.23, and 7.4.x prior to 7.4.11. This flaw arises when the AES-CCM encryption mode is utilized with the openssl_encrypt() function and a 12-byte Initialization Vector (IV). Due to a defect, only the first 7 bytes of the IV are actually used, potentially compromising the integrity and confidentiality of the encrypted data. A fix is available in PHP 7.4.11.
The vulnerability lies in the improper handling of the Initialization Vector (IV) within the AES-CCM encryption mode. When openssl_encrypt() is called with a 12-byte IV, the code incorrectly processes only the initial 7 bytes. This significantly reduces the entropy of the IV, making the encryption more susceptible to attacks. An attacker could potentially decrypt or manipulate encrypted data if they can control or predict portions of the IV. The reduced security also means that the encryption may not be as robust against known attacks on AES-CCM, potentially leading to incorrect or compromised data. This could result in data breaches, unauthorized access to sensitive information, or even the ability to inject malicious code.
CVE-2020-7069 was publicly disclosed on October 2, 2020. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the potential for data compromise makes it a worthwhile target for attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests that it could be exploited with relative ease if a suitable IV manipulation technique is developed.
Exploit Status
EPSS
8.35% (92% percentile)
CVSS Vector
The primary mitigation for CVE-2020-7069 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.11 or later. If upgrading is not immediately feasible, consider implementing workarounds to reduce the risk. One potential workaround is to ensure that the IV used with openssl_encrypt() is always less than 8 bytes in length, effectively preventing the vulnerable condition. Another approach is to carefully review and validate the encryption implementation to ensure that the IV is handled correctly. After upgrading, verify the fix by attempting to reproduce the vulnerability using a test case that utilizes AES-CCM with a 12-byte IV. Ensure that the encryption process behaves as expected and that the full IV is utilized.
Update to the latest version of PHP. Specifically, update to version 7.2.34, 7.3.23, or 7.4.11, or higher, depending on the PHP branch you are using. This will correct the vulnerability in the openssl_encrypt() function when using AES-CCM mode with a 12-byte IV.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-7069 is a medium severity vulnerability in PHP affecting versions 7.2.x, 7.3.x, and 7.4.x where only 7 bytes of a 12-byte IV are used in AES-CCM encryption, weakening security.
You are affected if you are using PHP versions 7.2.0–7.2.33, 7.3.0–7.3.22, or 7.4.0–7.4.10 and utilizing AES-CCM encryption with a 12-byte IV.
Upgrade to PHP 7.4.11 or later to resolve the vulnerability. If immediate upgrade is not possible, consider workarounds like limiting IV length to less than 8 bytes.
While no confirmed active exploitation campaigns are publicly known, the potential for data compromise makes it a potential target for attackers.
Refer to the official PHP security advisory at https://www.php.net/security/advisory-2020-10-02.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.