CVE-2016-6296 : Integer signedness error in the simplestring

Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function.

Published 2016-07-25 14:59:10

Updated 2018-01-05 02:31:06

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowDenial of service

Products affected by CVE-2016-6296

PHP » PHP
Versions up to, including, (<=) 5.5.37
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Alpha4
cpe:2.3:a:php:php:5.6.0:alpha4:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Alpha5
cpe:2.3:a:php:php:5.6.0:alpha5:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 7.0.5
cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Beta2
cpe:2.3:a:php:php:5.6.0:beta2:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.13
cpe:2.3:a:php:php:5.6.13:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.14
cpe:2.3:a:php:php:5.6.14:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.20
cpe:2.3:a:php:php:5.6.20:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.21
cpe:2.3:a:php:php:5.6.21:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Alpha2
cpe:2.3:a:php:php:5.6.0:alpha2:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Alpha3
cpe:2.3:a:php:php:5.6.0:alpha3:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 7.0.3
cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 7.0.4
cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.11
cpe:2.3:a:php:php:5.6.11:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.12
cpe:2.3:a:php:php:5.6.12:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.19
cpe:2.3:a:php:php:5.6.19:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.2
cpe:2.3:a:php:php:5.6.2:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.7
cpe:2.3:a:php:php:5.6.7:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.8
cpe:2.3:a:php:php:5.6.8:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.9
cpe:2.3:a:php:php:5.6.9:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Alpha1
cpe:2.3:a:php:php:5.6.0:alpha1:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 7.0.1
cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 7.0.2
cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.1
cpe:2.3:a:php:php:5.6.1:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.10
cpe:2.3:a:php:php:5.6.10:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.17
cpe:2.3:a:php:php:5.6.17:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.18
cpe:2.3:a:php:php:5.6.18:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.5
cpe:2.3:a:php:php:5.6.5:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.6
cpe:2.3:a:php:php:5.6.6:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Beta1
cpe:2.3:a:php:php:5.6.0:beta1:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 7.0.0
cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Beta3
cpe:2.3:a:php:php:5.6.0:beta3:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.0 Update Beta4
cpe:2.3:a:php:php:5.6.0:beta4:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.15
cpe:2.3:a:php:php:5.6.15:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.16
cpe:2.3:a:php:php:5.6.16:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.3
cpe:2.3:a:php:php:5.6.3:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.4
cpe:2.3:a:php:php:5.6.4:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.23
cpe:2.3:a:php:php:5.6.23:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 7.0.8
cpe:2.3:a:php:php:7.0.8:*:*:*:*:*:*:*
Matching versions
PHP » PHP » Version: 5.6.22
cpe:2.3:a:php:php:5.6.22:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2016-6296

Top countries where our scanners detected CVE-2016-6296

Top open port discovered on systems with this issue 80

IPs affected by CVE-2016-6296 478,964

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2016-6296!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2016-6296

EPSS FAQ

10.69%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 93 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-6296

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-6296

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-6296

https://security.gentoo.org/glsa/201611-22

PHP: Multiple vulnerabilities (GLSA 201611-22) — Gentoo security

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html

Apple - Lists.apple.com

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/11/msg00029.html

[SECURITY] [DLA 2011-1] xmlrpc-epi security update
http://www.securitytracker.com/id/1036430

PHP Multiple Flaws Let Remote and Local Users Obtain Potentially Sensitive Information and Execute Arbitrary Code - SecurityTracker

CVEs referencing this url
http://www.debian.org/security/2016/dsa-3631

Debian -- Security Information -- DSA-3631-1 php5

CVEs referencing this url
http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa

208.43.231.11 Git - php-src.git/commit
Issue Tracking
http://www.ubuntu.com/usn/USN-3059-1

USN-3059-1: xmlrpc-epi vulnerability | Ubuntu security notices
http://www.securityfocus.com/bid/92095

PHP '/xmlrpc/libxmlrpc/simplestring.c' Heap Buffer Overflow Vulnerability
Third Party Advisory;VDB Entry
https://bugs.php.net/72606

PHP :: Sec Bug #72606 :: heap-buffer-overflow (write) simplestring_addn simplestring.c
Exploit;Issue Tracking
https://support.apple.com/HT207170

About the security content of macOS Sierra 10.12 - Apple Support

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2016-2750.html

RHSA-2016:2750 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://php.net/ChangeLog-7.php

PHP: PHP 7 ChangeLog
Release Notes

CVEs referencing this url
http://openwall.com/lists/oss-security/2016/07/24/2

oss-security - Re: Fwd: CVE for PHP 5.5.38 issues
Mailing List

CVEs referencing this url
http://php.net/ChangeLog-5.php

PHP: PHP 5 ChangeLog
Release Notes

CVEs referencing this url