Executive Summary
CVE-2024-4577 is a critical vulnerability that has emerged as a significant threat to PHP installations on Windows servers, particularly affecting systems configured with Traditional Chinese, Simplified Chinese, and Japanese language settings. This vulnerability, found in the PHP CGI module, allows attackers to execute arbitrary code by exploiting character encoding conversion flaws. The vulnerability's prevalence in specific language configurations suggests a targeted focus on regions using these locales. Immediate attention and action are required to mitigate the risks associated with this vulnerability.
Technical Information
CVE-2024-4577 is a critical security flaw identified in the PHP CGI module, specifically impacting Windows-based systems. The vulnerability arises from improper handling of character encoding conversions when PHP is used in CGI mode. This flaw allows an attacker to execute arbitrary code on the server by exploiting the "Best-Fit" behavior of Windows, which misinterprets certain characters as PHP options. The vulnerability is particularly concerning due to its ease of exploitation and the availability of proof-of-concept (PoC) code.
The vulnerability affects multiple versions of PHP, including PHP 8.3 versions prior to 8.3.8, PHP 8.2 versions prior to 8.2.20, and PHP 8.1 versions prior to 8.1.29. Older versions such as PHP 8, PHP 7, and PHP 5 are also vulnerable. The vulnerability can be exploited if the PHP software is configured in CGI mode and the php.exe or php-cgi.exe binaries are exposed, which is common in default XAMPP installations on Windows.
The vulnerability is particularly prevalent in Traditional Chinese, Simplified Chinese, and Japanese language configurations. This suggests a potential focus on regions using these locales, making it imperative for organizations in these areas to prioritize mitigation efforts. The vulnerability's exploitation involves argument injection, allowing attackers to execute arbitrary code on remote PHP servers.
Several PoCs and public exploits are available, demonstrating the vulnerability's potential to allow remote command injection. Notably, the TellYouThePass ransomware has been observed exploiting this vulnerability in the wild. The availability of PoC code and the ease of exploitation make this vulnerability particularly dangerous.
Exploitation in the Wild
The SANS Internet Storm Center has reported that honeypots have detected probes for CVE-2024-4577, with attackers using a soft hyphen (Unicode code point 0x00AD) to bypass Apache's escape process and inject command line arguments to php.exe. This allows for PHP code execution. Ars Technica has also reported that the vulnerability is exploited through argument injection, allowing attackers to execute arbitrary code on remote PHP servers. The vulnerability's exploitation in the wild underscores the urgent need for organizations to implement mitigation strategies.
APT Groups using this vulnerability
While specific Advanced Persistent Threat (APT) groups exploiting CVE-2024-4577 have not been publicly identified, the vulnerability's prevalence in Traditional Chinese, Simplified Chinese, and Japanese language configurations suggests a potential focus on regions using these locales. Organizations in these areas should remain vigilant and prioritize mitigation efforts to protect against potential exploitation by APT groups.
Affected Product Versions
The following PHP versions are affected by CVE-2024-4577: PHP 8.3 versions prior to 8.3.8, PHP 8.2 versions prior to 8.2.20, PHP 8.1 versions prior to 8.1.29, and older versions such as PHP 8, PHP 7, and PHP 5. Organizations using these versions should prioritize updating to the latest patched versions to mitigate the risk of exploitation.
Workaround and Mitigation
The primary mitigation strategy for CVE-2024-4577 is to update PHP to the latest patched versions: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29. For installations using Traditional Chinese, Simplified Chinese, and Japanese, a temporary mitigation involves rewriting specific rules in the server configuration. For example, using Apache's mod_rewrite module, administrators can block requests containing the soft hyphen character by adding the following rules to the server configuration:
For XAMPP installations, administrators should comment out the following line in the
```
ScriptAlias /php-cgi/ "C:/xampp/php/"
```
Organizations should also consider migrating to more secure architectures such as Mod-PHP, FastCGI, or PHP-FPM to enhance security. Additionally, the presence of the vulnerability can be identified by checking the PHP version or using scripts and Nuclei templates designed for this purpose.
References
For more detailed information on CVE-2024-4577, please refer to the following resources:
- NVD CVE-2024-4577: https://nvd.nist.gov/vuln/detail/CVE-2024-4577
- Tarlogic Blog on CVE-2024-4577: https://www.tarlogic.com/blog/cve-2024-4577-critical-vulnerability-php/
- GitHub PoC by 11whoami99: https://github.com/11whoami99/CVE-2024-4577
- Metasploit Framework Pull Request: https://github.com/rapid7/metasploit-framework/pull/19247
- SANS Internet Storm Center: https://isc.sans.edu/diary/Attacker%20Probing%20for%20New%20PHP%20Vulnerablity%20CVE-2024-4577/30994
- Ars Technica: https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/
Rescana is here for you
At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive visibility into your organization's security posture, enabling you to identify and mitigate vulnerabilities like CVE-2024-4577. We are here to support you in implementing effective security measures and ensuring the resilience of your systems. For further assistance or inquiries, please contact our cybersecurity team at ops@rescana.com.
Comments