CVE-2024-11236
📋 TL;DR
This vulnerability allows attackers to cause an integer overflow in PHP's ldap_escape() function on 32-bit systems by providing long string inputs, leading to out-of-bounds writes. It affects PHP applications running on 32-bit architectures that use LDAP functionality. The high CVSS score indicates potential for remote code execution.
💻 Affected Systems
- PHP
📦 What is this software?
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Application crash (denial of service) or memory corruption leading to unpredictable behavior.
If Mitigated
Limited impact if proper input validation and length restrictions are implemented.
🎯 Exploit Status
Exploitation requires sending specially crafted long strings to the ldap_escape() function, which may be accessible via web applications using LDAP authentication or directory services.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 8.1.31, 8.2.26, 8.3.14
Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv
Restart Required: Yes
Instructions:
1. Identify PHP version: php -v. 2. Update PHP using your package manager (apt-get update && apt-get upgrade php for Debian/Ubuntu, yum update php for RHEL/CentOS). 3. Restart web server (systemctl restart apache2 or systemctl restart nginx). 4. Verify update with php -v.
🔧 Temporary Workarounds
Input Length Restriction
allImplement application-level validation to limit string length passed to ldap_escape() function.
// PHP code example: if (strlen($input) > 1000) { die('Input too long'); }
Disable LDAP Extension
linuxRemove or disable PHP LDAP extension if not required.
sudo phpdismod ldap
sudo systemctl restart php-fpm
🧯 If You Can't Patch
- Migrate to 64-bit systems where this vulnerability does not exist.
- Implement web application firewall (WAF) rules to block unusually long string inputs to LDAP-related endpoints.
🔍 How to Verify
Check if Vulnerable:
Run php -v and check if version is in affected range AND system is 32-bit (check with uname -m or arch).Check Version:
php -v | head -1Verify Fix Applied:
Confirm PHP version is 8.1.31+, 8.2.26+, or 8.3.14+ using php -v.📡 Detection & Monitoring
Log Indicators:
- Web server logs showing unusually long strings in LDAP-related requests
- PHP error logs containing memory corruption or segmentation fault errors
Network Indicators:
- HTTP requests with extremely long parameters to LDAP authentication endpoints
SIEM Query:
source="web_logs" AND uri="*ldap*" AND (bytes > 10000 OR param_length > 1000)