CVE-2020-7064 Festo Didactic SE CVE debrief

Who should care

Festo Didactic MES PC operators, OT/ICS administrators, and anyone responsible for PHP applications that parse untrusted images with exif_read_data(). Security teams should prioritize systems still running PHP 7.2.x below 7.2.9, 7.3.x below 7.3.16, or 7.4.x below 7.4.4.

Technical summary

The underlying flaw is a one-byte uninitialized memory read in PHP's EXIF parser. Malicious EXIF content can cause PHP to disclose a small amount of memory or terminate unexpectedly. The supplied advisory associates the issue with Festo Didactic SE MES PC and points to a replacement Factory Control Panel release as the remediation path.

Defensive priority

Medium

Recommended defensive actions

• Update affected PHP to the fixed releases referenced in the advisory: 7.2.9+, 7.3.16+, or 7.4.4+ where applicable.
• If you operate Festo Didactic MES PC, obtain and deploy the current Factory Control Panel release through Festo technical support.
• Inventory MES PC systems for bundled PHP/XAMPP or other EXIF-parsing components that may still be exposed.
• Limit ingestion of untrusted image content where feasible and validate inputs before EXIF parsing.
• Monitor for PHP crashes or anomalous behavior that could indicate the flaw is being triggered.

Evidence notes

The source item is a CISA CSAF republication of Festo Didactic SE advisory ICSA-26-027-02 for MES PC. The description matches the PHP issue: exif_read_data() can read one byte of uninitialized memory in PHP 7.2.x below 7.2.9, 7.3.x below 7.3.16, and 7.4.x below 7.4.4. The remediation notes state that Factory Control Panel replaces XAMPP on MES PCs and is available from Festo technical support. No KEV entry is present in the supplied corpus.

Official resources