emb3d - tid-225

tid-225

Vulnerability from emb3d

Type

Link

Description

Threat actors may try to manipulate logs on the device to evade defenses, confuse incident responders, hide their access techniques, or keep their exploitation methods secret. Threat actors can do this by changing the timestamps on logs, deleting logs entirely, inserting or reporting false logs, restoring the device to a previous state, or factory resetting the device. All of these methods will prevent defenders from obtaining an accurate representation of the current or past state of the device and will make analysis of the device more difficult.

CWE

CWE-284: Improper Access Control

CVE-2024-9026 (GCVE-0-2024-9026)

Vulnerability from cvelistv5 – Published: 2024-10-08 04:07 – Updated: 2025-11-03 22:33

Summary

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-158 - Improper Neutralization of Null Byte or NUL Character
CWE-117 - Improper Output Neutralization for Logs

Assigner

php

References

URL

Tags

https://github.com/php/php-src/security/advisorie…

Impacted products

	Vendor	Product	Version
	PHP Group	PHP	Affected: 8.1.* , < 8.1.30 (semver) Affected: 8.2.* , < 8.2.24 (semver) Affected: 8.3.* , < 8.3.12 (semver)

Credits

Sébastien Rolland

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "php",
            "vendor": "php",
            "versions": [
              {
                "lessThan": "8.1.30",
                "status": "affected",
                "version": "8.1.0",
                "versionType": "semver"
              },
              {
                "lessThan": "8.2.24",
                "status": "affected",
                "version": "8.2.0",
                "versionType": "semver"
              },
              {
                "lessThan": "8.3.12",
                "status": "affected",
                "version": "8.3.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9026",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-08T12:47:58.418408Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-08T13:52:08.340Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:33:15.254Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241101-0003/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00011.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PHP",
          "vendor": "PHP Group",
          "versions": [
            {
              "lessThan": "8.1.30",
              "status": "affected",
              "version": "8.1.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.2.24",
              "status": "affected",
              "version": "8.2.*",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3.12",
              "status": "affected",
              "version": "8.3.*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "S\u00e9bastien Rolland"
        }
      ],
      "datePublic": "2024-09-27T17:50:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is\u0026nbsp;configured to catch workers output through catch_workers_output = yes,\u0026nbsp;it may be possible to pollute the final log or\u0026nbsp;remove up to 4 characters from the log messages by manipulating log message content. Additionally, if\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is\u00a0configured to catch workers output through catch_workers_output = yes,\u00a0it may be possible to pollute the final log or\u00a0remove up to 4 characters from the log messages by manipulating log message content. Additionally, if\u00a0PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-268",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-268 Audit Log Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-158",
              "description": "CWE-158: Improper Neutralization of Null Byte or NUL Character",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-117",
              "description": "CWE-117: Improper Output Neutralization for Logs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-08T04:07:33.452Z",
        "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
        "shortName": "php"
      },
      "references": [
        {
          "url": "https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "PHP-FPM logs from children may be altered",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b",
    "assignerShortName": "php",
    "cveId": "CVE-2024-9026",
    "datePublished": "2024-10-08T04:07:33.452Z",
    "dateReserved": "2024-09-20T00:15:42.321Z",
    "dateUpdated": "2025-11-03T22:33:15.254Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted