CVE-2020-7060 Overview
CVE-2020-7060 is an Out-of-Bounds Read vulnerability affecting PHP's mbstring extension. When using certain mbstring functions to convert multibyte encodings, specifically when processing Big5 character encoding conversions, the mbfl_filt_conv_big5_wchar function can be tricked into reading past the allocated buffer. This memory safety issue may lead to information disclosure of sensitive memory contents or cause application crashes, resulting in denial of service conditions.
Critical Impact
This vulnerability enables remote attackers to trigger information disclosure or crash PHP applications by supplying specially crafted multibyte encoding data to mbstring conversion functions without requiring authentication.
Affected Products
- PHP versions 7.2.x below 7.2.27
- PHP versions 7.3.x below 7.3.14
- PHP versions 7.4.x below 7.4.2
- Tenable Tenable.sc (various versions)
- Oracle Communications Diameter Signaling Router
- openSUSE Leap 15.1
- Debian Linux 8.0
Discovery Timeline
- February 10, 2020 - CVE-2020-7060 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-7060
Vulnerability Analysis
This vulnerability exists within PHP's mbstring extension, specifically in the Big5 to wide character conversion filter (mbfl_filt_conv_big5_wchar). The mbstring extension provides multibyte string handling capabilities essential for applications dealing with Asian character encodings such as Big5 (traditional Chinese), Shift-JIS, and others.
The core issue stems from improper bounds checking during the character encoding conversion process. When processing specially crafted input data, the conversion function fails to properly validate buffer boundaries before performing read operations. This allows an attacker to supply malformed Big5-encoded data that causes the function to read memory beyond the allocated buffer.
The vulnerability is classified as CWE-125 (Out-of-bounds Read), which occurs when software reads data past the end of an intended buffer. In PHP's case, this can expose sensitive information stored in adjacent memory regions or cause the PHP process to crash when accessing invalid memory addresses.
Root Cause
The root cause of CVE-2020-7060 lies in insufficient boundary validation within the mbfl_filt_conv_big5_wchar function. When parsing Big5-encoded input sequences, the function performs read operations based on expected character lengths without adequately verifying that sufficient data remains in the input buffer. This missing bounds check allows specially crafted input to trigger reads past the allocated memory region.
The Big5 encoding uses a two-byte structure for most characters, and the vulnerability is triggered when the conversion function encounters malformed or truncated sequences at the end of the input buffer, causing it to read beyond the intended memory boundaries.
Attack Vector
The attack can be executed remotely over the network without requiring authentication. An attacker can exploit this vulnerability by:
- Identifying PHP applications that use mbstring functions for character encoding conversion (e.g., mb_convert_encoding(), mb_strcut(), or similar functions)
- Crafting malicious input data containing specially formed Big5 encoding sequences
- Submitting this data to the application through user-controllable input vectors such as form fields, file uploads, or API parameters
- The vulnerable mbstring functions process the input, triggering the out-of-bounds read
Successful exploitation can leak sensitive memory contents back to the attacker or cause the PHP process to crash, resulting in denial of service. The vulnerability is particularly concerning for web applications that handle user-supplied character encoding data without strict input validation.
Detection Methods for CVE-2020-7060
Indicators of Compromise
- Unexpected PHP process crashes or segmentation faults in applications using mbstring functions
- Increased error logs showing memory-related issues during character encoding conversions
- Anomalous requests containing malformed Big5 or multibyte encoded data
- Unusual response sizes that may indicate memory content leakage
Detection Strategies
- Monitor PHP error logs for segmentation faults and memory access violations related to mbstring operations
- Implement web application firewall (WAF) rules to detect and block malformed multibyte encoding sequences
- Deploy runtime application self-protection (RASP) solutions to detect out-of-bounds memory access attempts
- Use intrusion detection systems (IDS) to identify patterns of malicious encoding-based attacks
Monitoring Recommendations
- Enable detailed PHP error logging and monitor for crashes in mbfl_filt_conv_big5_wchar and related functions
- Implement application performance monitoring (APM) to detect unusual crash patterns in PHP processes
- Review access logs for requests containing suspicious Big5 or multibyte encoded payloads
- Set up alerts for repeated PHP process restarts that may indicate exploitation attempts
How to Mitigate CVE-2020-7060
Immediate Actions Required
- Upgrade PHP to patched versions: 7.2.27 or later, 7.3.14 or later, or 7.4.2 or later
- Review applications for usage of vulnerable mbstring functions and implement input validation
- Apply vendor-specific patches for affected products like Tenable.sc, Oracle Communications Diameter Signaling Router, and Linux distributions
- Consider temporarily disabling Big5 encoding support if not required by the application
Patch Information
PHP has released security patches addressing this vulnerability in the following versions:
- PHP 7.2.27 and later
- PHP 7.3.14 and later
- PHP 7.4.2 and later
Administrators should refer to the PHP Bug Report #79037 for technical details about the fix. Distribution-specific patches are available through:
- Debian Security Advisory DSA-4626 and DSA-4628
- Ubuntu Security Notice USN-4279-1
- Gentoo GLSA 202003-57
- Tenable Security Notification TNS-2021-14 for Tenable.sc users
- Oracle CPU July 2020 and April 2021 for Oracle products
Workarounds
- Implement strict input validation to sanitize and validate character encoding data before processing
- Use allowlisting to restrict accepted character encodings to only those required by the application
- Deploy web application firewalls with rules to filter potentially malicious multibyte sequences
- Consider using alternative character conversion libraries that are not affected by this vulnerability
# Check current PHP version for vulnerability
php -v | grep -E "PHP 7\.(2\.(0|[1-9]|1[0-9]|2[0-6])|3\.([0-9]|1[0-3])|4\.[01])"
# Update PHP on Debian/Ubuntu systems
sudo apt-get update && sudo apt-get upgrade php
# Update PHP on RHEL/CentOS systems
sudo yum update php
# Verify mbstring extension is using patched version
php -r "echo 'mbstring loaded: ' . (extension_loaded('mbstring') ? 'yes' : 'no') . PHP_EOL;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
