CVE-2021-21703 Overview
CVE-2021-21703 is a local privilege escalation vulnerability affecting PHP-FPM (FastCGI Process Manager) that allows unprivileged users to escalate their privileges to root. The vulnerability exists in the shared memory mechanism between the main PHP-FPM daemon process (running as root) and child worker processes (running as lower-privileged users). By manipulating shared memory, an attacker with access to a child process can corrupt memory in a way that causes the root process to perform invalid memory reads and writes, ultimately leading to full root access.
Critical Impact
Local attackers with access to PHP-FPM child processes can escalate privileges from an unprivileged user to root, potentially gaining complete control over the affected system.
Affected Products
- PHP versions 7.3.x up to and including 7.3.31
- PHP versions 7.4.x below 7.4.25
- PHP versions 8.0.x below 8.0.12
- Debian Linux 9.0, 10.0, and 11.0
- Fedora 33, 34, and 35
- NetApp Clustered Data ONTAP
- Oracle Communications Diameter Signaling Router
Discovery Timeline
- 2021-10-25 - CVE-2021-21703 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21703
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-284) and out-of-bounds write conditions (CWE-787) in PHP-FPM's shared memory implementation. PHP-FPM uses a process-based architecture where the main daemon runs with root privileges to bind to privileged ports and manage worker processes, while child workers execute PHP code with reduced privileges for security isolation.
The core issue lies in the shared memory region used for inter-process communication between the root master process and the lower-privileged worker processes. The child processes have write access to memory segments that are also read by the root process. Due to insufficient validation of data written to shared memory, a malicious child process can craft memory modifications that corrupt the parent process's memory state.
When the root process subsequently reads this corrupted shared memory, it performs invalid memory operations. An attacker can leverage this behavior to achieve arbitrary code execution within the context of the root process, thereby escalating from a low-privileged user account to full root access on the system.
Root Cause
The root cause is insufficient isolation and validation in the shared memory communication channel between the privileged master PHP-FPM process and unprivileged worker processes. The architecture trusts data written by child processes without adequate boundary checks, creating an opportunity for memory corruption attacks. This design flaw allows a compromised or malicious child process to influence the execution flow of the parent root process through carefully crafted memory writes.
Attack Vector
This is a local privilege escalation attack requiring the attacker to first gain access to execute code within a PHP-FPM worker process. Common attack scenarios include:
- An attacker who has already compromised a web application running under PHP-FPM
- A malicious user on a shared hosting environment where PHP-FPM processes requests from multiple tenants
- An insider threat with limited shell access to a system running PHP-FPM
Once the attacker has code execution within a PHP-FPM child process, they can manipulate the shared memory region to trigger the vulnerability in the root master process. The attack requires high complexity due to the need to craft precise memory corruption patterns, but successful exploitation results in complete system compromise.
The vulnerability mechanism involves writing malicious data to the shared memory segment that will be subsequently processed by the master PHP-FPM process. When the master process performs memory operations based on this corrupted data, the attacker can hijack execution flow or overwrite critical memory structures to achieve root-level code execution.
Detection Methods for CVE-2021-21703
Indicators of Compromise
- Unusual memory access patterns or crashes in PHP-FPM master processes
- Unexpected process spawning from the PHP-FPM master process with elevated privileges
- Suspicious modifications to shared memory segments associated with PHP-FPM
- Anomalous behavior from PHP-FPM worker processes attempting to access unauthorized resources
Detection Strategies
- Monitor PHP-FPM process behavior for unexpected memory operations or segmentation faults in the master process
- Implement audit logging for PHP-FPM configuration changes and process events
- Deploy endpoint detection solutions capable of identifying privilege escalation attempts from web server processes
- Review system logs for signs of unauthorized root access following PHP-FPM process activity
Monitoring Recommendations
- Enable detailed logging for PHP-FPM to capture process lifecycle events and errors
- Configure system auditing (auditd) to monitor for privilege changes and suspicious process executions
- Deploy file integrity monitoring on PHP binaries and configuration files
- Utilize SentinelOne's behavioral AI to detect anomalous process behavior indicative of privilege escalation attempts
How to Mitigate CVE-2021-21703
Immediate Actions Required
- Upgrade PHP to version 7.3.32 or later, 7.4.25 or later, or 8.0.12 or later immediately
- Review PHP-FPM configurations and ensure the principle of least privilege is applied
- Audit web applications for existing compromises that could be leveraged to exploit this vulnerability
- Apply vendor-specific patches from Debian, Fedora, Oracle, and other affected distributions
Patch Information
PHP has released patched versions that address this vulnerability. Organizations should update to the following minimum versions:
- PHP 7.3.x: Upgrade to 7.3.32 or later
- PHP 7.4.x: Upgrade to 7.4.25 or later
- PHP 8.0.x: Upgrade to 8.0.12 or later
Additional patch information is available from distribution vendors:
- Debian Security Advisory DSA-4992
- Debian Security Advisory DSA-4993
- Fedora Package Announcements
- Oracle CPU January 2022 Security Alerts
- Oracle CPU April 2022 Security Alerts
For technical details on the vulnerability, refer to PHP Bug Report #81026 and the Openwall OSS Security Announcement.
Workarounds
- Run PHP-FPM in a containerized environment with limited capabilities to reduce the impact of privilege escalation
- Implement additional access controls and sandboxing around PHP-FPM processes where possible
- Consider running PHP-FPM master process as a non-root user if the environment permits (though this may limit functionality)
- Deploy network segmentation to limit lateral movement potential if the vulnerability is exploited
# Check current PHP version and verify patched status
php -v
# For Debian/Ubuntu systems, update PHP packages
sudo apt update && sudo apt upgrade php-fpm
# For RHEL/CentOS/Fedora systems
sudo dnf update php-fpm
# Restart PHP-FPM service after patching
sudo systemctl restart php-fpm
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
