PCRE, or Perl Compatible Regular Expressions, is a library of functions that implements regular expression pattern matching. It is used widely in applications ranging from MariaDB to Apache. It is also used extensively by PHP which underpins many web applications and is increasingly turning up in Internet of Things devices.
FortiGuard researchers recently discovered vulnerabilities in the PCRE library with broad impacts across several such applications. In this case, there are two separate but similar heap overflow vulnerabilities. Insufficient bounds checking inside the PCRE functions compile_branch() and pcre_compile2() could allow the heap memory to be overflowed by crafted regular expressions.
The researchers were able to document exploits for these vulnerabilities in both MariaDB and PHP that could be used in Denial of Service attacks. It should be noted that the most recent version of PCRE (Version 8.37) has been patched against this vulnerability. However, PCRE has been in use since 1997 and legacy versions of the library are present in countless applications. When a PCRE expression is exposed to user input or data in applications using legacy versions of the library, hackers may be able to exploit the vulnerability.
MariaDB, the increasingly popular fork of MySQL, is now at Version 10.0.19. The fix for the PCRE vulnerability was included in Version 10.0.18, released on May 7, 2015. Given how recently this patch was issued, though, administrators should verify that they have the most recent version installed.
The PHP vulnerability is of somewhat greater concern because of the near ubiquity of the scripting language. W3Techs reports that almost 82% of websites that use server-side scripting use PHP. Exploitation does not require authentication in this case, meaning that, depending on a web server’s and/or web application’s internal processing rules, this vulnerability could possibly also be used for a remote execution attack. For now, only PHP 5.6.9 and 5.4.41 use the latest PCRE library, patching this vulnerability.
Wherever possible, administrators should update MariaDB and PHP to the latest supported versions. It is possible that other vulnerabilities related to legacy versions of the PCRE library will emerge and systems should be evaluated for the presence of PCRE Version 8.36 and below.
Fortinet customers who subscribe to Fortinet’s Intrusion Prevention Service are already protected from exploitation of the underlying PCRE vulnerability but are also advised to update their software as part of their regular patch management regimens.