Plateforme
php
Composant
php
Corrigé dans
7.2.34
7.3.23
7.4.11
CVE-2020-7069 is a security vulnerability affecting PHP versions 7.2.x prior to 7.2.34, 7.3.x prior to 7.3.23, and 7.4.x prior to 7.4.11. This flaw arises when the AES-CCM encryption mode is utilized with the openssl_encrypt() function and a 12-byte Initialization Vector (IV). Due to a defect, only the first 7 bytes of the IV are actually used, potentially compromising the integrity and confidentiality of the encrypted data. A fix is available in PHP 7.4.11.
The vulnerability lies in the improper handling of the Initialization Vector (IV) within the AES-CCM encryption mode. When openssl_encrypt() is called with a 12-byte IV, the code incorrectly processes only the initial 7 bytes. This significantly reduces the entropy of the IV, making the encryption more susceptible to attacks. An attacker could potentially decrypt or manipulate encrypted data if they can control or predict portions of the IV. The reduced security also means that the encryption may not be as robust against known attacks on AES-CCM, potentially leading to incorrect or compromised data. This could result in data breaches, unauthorized access to sensitive information, or even the ability to inject malicious code.
CVE-2020-7069 was publicly disclosed on October 2, 2020. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the potential for data compromise makes it a worthwhile target for attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests that it could be exploited with relative ease if a suitable IV manipulation technique is developed.
Applications relying on PHP's openssl_encrypt() function with AES-CCM and using 12-byte IVs are at risk. This includes web applications handling sensitive data such as financial transactions, user credentials, or personal information. Shared hosting environments using vulnerable PHP versions are particularly susceptible, as they may lack the ability to quickly patch their PHP installations.
• php / server:
find /var/www/html -name "openssl_encrypt.php" -print0 | xargs -0 grep -i "openssl_encrypt\(" -B 5• php / server:
journalctl -u php7.4 -grep "AES-CCM"• php / server:
ps aux | grep -i openssl_encryptdisclosure
patch
Statut de l'Exploit
EPSS
8.35% (percentile 92%)
Vecteur CVSS
The primary mitigation for CVE-2020-7069 is to upgrade to a patched version of PHP. Specifically, upgrade to PHP 7.4.11 or later. If upgrading is not immediately feasible, consider implementing workarounds to reduce the risk. One potential workaround is to ensure that the IV used with openssl_encrypt() is always less than 8 bytes in length, effectively preventing the vulnerable condition. Another approach is to carefully review and validate the encryption implementation to ensure that the IV is handled correctly. After upgrading, verify the fix by attempting to reproduce the vulnerability using a test case that utilizes AES-CCM with a 12-byte IV. Ensure that the encryption process behaves as expected and that the full IV is utilized.
Actualice a la última versión de PHP. Específicamente, actualice a la versión 7.2.34, 7.3.23 o 7.4.11, o superior, según la rama de PHP que esté utilizando. Esto corregirá la vulnerabilidad en la función openssl_encrypt() cuando se usa el modo AES-CCM con un IV de 12 bytes.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2020-7069 is a medium severity vulnerability in PHP affecting versions 7.2.x, 7.3.x, and 7.4.x where only 7 bytes of a 12-byte IV are used in AES-CCM encryption, weakening security.
You are affected if you are using PHP versions 7.2.0–7.2.33, 7.3.0–7.3.22, or 7.4.0–7.4.10 and utilizing AES-CCM encryption with a 12-byte IV.
Upgrade to PHP 7.4.11 or later to resolve the vulnerability. If immediate upgrade is not possible, consider workarounds like limiting IV length to less than 8 bytes.
While no confirmed active exploitation campaigns are publicly known, the potential for data compromise makes it a potential target for attackers.
Refer to the official PHP security advisory at https://www.php.net/security/advisory-2020-10-02.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.