PHP 5

Tenable plugin 119764 is a version-based hit for upstream PHP 5.6.0 through 5.6.38, fixed in 5.6.39. The package rolls up three issues that matter here: CVE-2018-19518 (imap_open() argument injection that can reach shell execution on Unix-like systems), CVE-2018-19935 (imap_mail() NULL dereference DoS), and CVE-2018-20783 (PHAR parser out-of-bounds read / memory disclosure).

Tenable's HIGH label is understandable if you look only at the worst CVE in isolation, but it overstates fleet-wide risk. The only path that plausibly becomes code execution requires far more than an old PHP banner: the imap extension must be present, the application must pass attacker-controlled mailbox/server strings into IMAP functions, and insecure shell transport must still be reachable; the other bundled bugs are a crash and an over-read, not mass-compromise material.

Why this verdict

• Version hit != exploit path: Tenable detects by PHP banner/version, not by proving ext/imap is loaded, imap.enable_insecure_rsh is reachable, or the app passes untrusted mailbox strings into IMAP.
• The worst bug is workflow-dependent RCE: CVE-2018-19518 can become code execution, but only after multiple prerequisites stack: attacker reachability, vulnerable app feature, controllable mailbox parameter, and risky IMAP transport behavior.
• The rest of the bundle pulls severity down: CVE-2018-19935 is a crash and CVE-2018-20783 is an out-of-bounds read / disclosure bug. They do not justify keeping the overall plugin at a blanket HIGH by themselves.

Why not higher?

I am not calling this HIGH because the key exploit chain is not broad enough. Requiring a specific application behavior on top of an optional PHP extension is classic post-discovery friction, and there is no KEV-style evidence that attackers are mass-harvesting old PHP banners for this specific chain.

Why not lower?

I am not pushing this to LOW because there is still a legitimate public RCE path with published exploit references, and legacy PHP 5.6 fleets do show up on the public internet. If you do have an exposed mail-import or webmail-style feature using imap_open(), the local risk on those nodes is materially higher than the fleet average.

1. Disable insecure IMAP shell transport — Set imap.enable_insecure_rsh=0 anywhere ext/imap is still needed, and prefer explicit /norsh in connection strings. For a MEDIUM verdict there is no mitigation SLA; do this in the next normal change window, but make it an exception candidate sooner on internet-facing legacy apps.
2. Remove ext/imap where unused — If the host is just serving PHP apps and not doing mailbox operations, uninstall or stop loading the IMAP extension. This collapses the lead RCE path entirely; with no mitigation SLA for MEDIUM, fold it into standard hardening work rather than emergency ops.
3. Hunt for risky code paths — Search application code and config for imap_open(, imap_mail(, imap_append(, and dynamic mailbox strings built from request parameters, tenant settings, or admin-entered hostnames. Prioritize internet-facing and authenticated self-service features first; this is the fastest way to separate noisy banner hits from actually dangerous nodes.
4. Fence legacy PHP behind stronger boundaries — Where immediate upgrades are hard, move old PHP 5.6 apps behind VPN, SSO, reverse-proxy ACLs, or admin network restrictions so fewer attackers can even reach the vulnerable workflow. There is no mitigation SLA for MEDIUM, but shrinking reachability is still worthwhile before you get to full remediation.

Run this on the target Linux/Unix host that actually executes PHP, not from the scanner. Invoke it as bash verify_php_5639.sh /usr/bin/php (or omit the argument to auto-discover php); no root is required unless your PHP binary or package metadata is locked down.

#!/usr/bin/env bash
# verify_php_5639.sh
# Purpose: assess whether local PHP is upstream-vulnerable to the PHP 5.6.39 bundle
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

PHPBIN="${1:-$(command -v php 2>/dev/null || true)}"
if [[ -z "$PHPBIN" || ! -x "$PHPBIN" ]]; then
  echo "UNKNOWN - php binary not found"
  exit 2
fi

phpv_raw="$($PHPBIN -v 2>/dev/null | head -n1)"
phpver="$($PHPBIN -r 'echo PHP_VERSION;' 2>/dev/null)"
if [[ -z "$phpver" ]]; then
  echo "UNKNOWN - unable to read PHP_VERSION from $PHPBIN"
  exit 2
fi

# Helper: compare semantic versions with sort -V
ver_lt() {
  [[ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]]
}

# Gather extension / ini hints
modules="$($PHPBIN -m 2>/dev/null | tr '[:upper:]' '[:lower:]')"
phpi="$($PHPBIN -i 2>/dev/null || true)"
imap_loaded="no"
phar_loaded="unknown"
insecure_rsh="unknown"

if grep -qx 'imap' <<< "$modules"; then
  imap_loaded="yes"
fi
if grep -qx 'phar' <<< "$modules"; then
  phar_loaded="yes"
else
  phar_loaded="no"
fi

imap_line="$(grep -i '^imap.enable_insecure_rsh' <<< "$phpi" | head -n1 || true)"
if [[ -n "$imap_line" ]]; then
  # Common php -i format: imap.enable_insecure_rsh => Off => Off
  if grep -Eiq '=>[[:space:]]*off|=>[[:space:]]*0|=>[[:space:]]*false' <<< "$imap_line"; then
    insecure_rsh="off"
  elif grep -Eiq '=>[[:space:]]*on|=>[[:space:]]*1|=>[[:space:]]*true' <<< "$imap_line"; then
    insecure_rsh="on"
  fi
fi

# Detect distro-packaged builds where backports may make simple upstream version checks unreliable
backport_hint="no"
if grep -Eiq '(ubuntu|debian|red hat|rhel|suse|almalinux|rocky|amazon)' <<< "$phpv_raw"; then
  backport_hint="yes"
fi

# Upstream logic for this specific Tenable finding
# Fixed upstream at 5.6.39; plugin only targets PHP 5.6.x < 5.6.39
major_minor="$(awk -F. '{print $1 "." $2}' <<< "$phpver")"
if [[ "$major_minor" != "5.6" ]]; then
  echo "PATCHED - local PHP version is $phpver; this specific plugin targets 5.6.x < 5.6.39"
  exit 0
fi

if ! ver_lt "$phpver" "5.6.39"; then
  echo "PATCHED - local PHP version is $phpver (>= 5.6.39 upstream)"
  exit 0
fi

# If distro packaging is obvious, we cannot trust upstream version alone.
if [[ "$backport_hint" == "yes" ]]; then
  echo "UNKNOWN - PHP reports $phpver but appears distro-packaged/backported; verify package advisory status as well"
  echo "INFO - imap_loaded=$imap_loaded insecure_rsh=$insecure_rsh phar_loaded=$phar_loaded"
  exit 2
fi

# Upstream-built or plain versioned vulnerable case
if [[ "$imap_loaded" == "yes" && "$insecure_rsh" == "on" ]]; then
  echo "VULNERABLE - upstream PHP $phpver with ext/imap loaded and imap.enable_insecure_rsh enabled"
  exit 1
fi

if [[ "$imap_loaded" == "yes" && "$insecure_rsh" == "unknown" ]]; then
  echo "VULNERABLE - upstream PHP $phpver with ext/imap loaded; confirm imap.enable_insecure_rsh but treat as exposed to this bundle"
  exit 1
fi

if [[ "$phar_loaded" == "yes" ]]; then
  echo "VULNERABLE - upstream PHP $phpver is below 5.6.39; even without IMAP, the bundled PHAR over-read issue still applies"
  exit 1
fi

echo "VULNERABLE - upstream PHP $phpver is below 5.6.39"
exit 1

Sources

1. Tenable Nessus Plugin 119764
2. PHP 5.6.39 Release Announcement
3. PHP 5 ChangeLog
4. NVD - CVE-2018-19518
5. NVD - CVE-2018-19935
6. NVD - CVE-2018-20783
7. PHP Bug #77153 (`imap_open` command injection discussion)
8. PHP Manual - `imap_open()`