CVE-2019-11035 Festo Didactic SE CVE debrief

Who should care

Administrators and operators responsible for Festo Didactic SE MES PC systems, especially those running XAMPP/PHP components or legacy PHP 7.1/7.2/7.3 releases, should prioritize this.

Technical summary

The flaw is classified as CWE-125 (out-of-bounds read). The supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) indicates a remotely reachable issue with no privileges or user interaction required, and with potential for both information disclosure and service disruption. Affected PHP versions are 7.1.x before 7.1.28, 7.2.x before 7.2.17, and 7.3.x before 7.3.4.

Defensive priority

High. The issue is Critical by CVSS and can expose data or crash affected services. Prioritize any MES PC instance that still depends on the vulnerable PHP EXIF code path. The enrichment supplied here does not mark it as CISA KEV.

Recommended defensive actions

• Verify whether any MES PC deployments still use the affected PHP/XAMPP stack and confirm the exact PHP version in use.
• Move to Festo's current Factory Control Panel offering for MES PCs, as directed in the remediation guidance, by contacting [email protected].
• Upgrade or replace any vulnerable PHP 7.1/7.2/7.3 components so they are no longer within the affected ranges.
• Limit exposure of affected systems to only the networks and users they require, following CISA ICS recommended practices.
• Monitor for unexpected crashes or signs of information exposure in systems processing image or EXIF-bearing files.

Evidence notes

The source item explicitly states that PHP EXIF extension versions 7.1.x below 7.1.28, 7.2.x below 7.2.17, and 7.3.x below 7.3.4 can read past an allocated buffer in exif_iif_add_value, leading to information disclosure or crash. The CSAF metadata ties the advisory to Festo Didactic SE MES PC and records remediation via Factory Control Panel replacement. The provided enrichment says this is not a KEV item.

Official resources