CVE-2019-9641
📋 TL;DR
This vulnerability in PHP's EXIF component allows attackers to read uninitialized memory from TIFF image files, potentially leading to information disclosure or remote code execution. It affects PHP applications that process TIFF images with EXIF data, particularly web applications handling image uploads.
💻 Affected Systems
- PHP
📦 What is this software?
Leap by Opensuse
Leap by Opensuse
Leap by Opensuse
Php by Php
Php by Php
Php by Php
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Information disclosure of sensitive memory contents, potentially including credentials or application data.
If Mitigated
Denial of service or application crash if memory read causes segmentation fault.
🎯 Exploit Status
Exploitation requires uploading or processing a malicious TIFF image. Public proof-of-concept demonstrates memory read.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 7.1.27, PHP 7.2.16, PHP 7.3.3
Vendor Advisory: https://bugs.php.net/bug.php?id=77509
Restart Required: Yes
Instructions:
1. Update PHP to patched version using package manager (apt/yum). 2. Restart web server (Apache/Nginx) and PHP-FPM if used. 3. Verify version with php -v.
🔧 Temporary Workarounds
Disable EXIF extension
allPrevents processing of EXIF data in images, mitigating the vulnerability.
php -i | grep exif to check if enabled
Edit php.ini: extension=exif.so to ;extension=exif.so
Restart web server
Block TIFF uploads
linuxPrevent upload of TIFF images at application or web server level.
In Apache: <FilesMatch "\.tiff?$"> Require all denied </FilesMatch>
In Nginx: location ~ \.tiff?$ { deny all; }
🧯 If You Can't Patch
- Implement strict file type validation to reject TIFF images at application level.
- Deploy WAF rules to block malicious TIFF uploads and monitor for exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Run: php -v | grep 'PHP' and compare version against affected ranges.Check Version:
php -v | grep 'PHP'Verify Fix Applied:
Confirm PHP version is 7.1.27+, 7.2.16+, or 7.3.3+ with php -v.📡 Detection & Monitoring
Log Indicators:
- Segmentation faults in PHP/web server logs
- Unexpected memory access errors
- Large number of TIFF file uploads
Network Indicators:
- TIFF file uploads to web applications
- Abnormal outbound connections after image processing
SIEM Query:
source="web_server.log" ("segmentation fault" OR "memory access") AND "php"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://bugs.php.net/bug.php?id=77509
- https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html
- https://security.netapp.com/advisory/ntap-20190502-0007/
- https://usn.ubuntu.com/3922-1/
- https://usn.ubuntu.com/3922-2/
- https://usn.ubuntu.com/3922-3/
- https://www.debian.org/security/2019/dsa-4403
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://bugs.php.net/bug.php?id=77509
- https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html
- https://security.netapp.com/advisory/ntap-20190502-0007/
- https://usn.ubuntu.com/3922-1/
- https://usn.ubuntu.com/3922-2/
- https://usn.ubuntu.com/3922-3/
- https://www.debian.org/security/2019/dsa-4403
