PHP Vulnerability Exposes Millions of Servers to RCE (CVE-2024-4577)

Bar Refael

June 9, 2024

A critical remote code execution (RCE) vulnerability has been discovered in PHP, a cornerstone of the web ecosystem. Tracked as CVE-2024-4577, this vulnerability could potentially allow unauthenticated attackers to take full control of affected PHP servers.

Vulnerability Details

CVE-2024-4577: PHP Remote Code Execution Vulnerability

  • Description: The vulnerability resides in the Best-Fit feature of encoding conversion within the Windows operating system during PHP implementation. This oversight allows attackers to bypass protections implemented for a previous vulnerability (CVE-2012-1823) through specific character sequences. As a result, arbitrary code can be executed on remote PHP servers via an argument injection attack.
  • CVSS Score: 9.8 (Critical)
  • Impact: High. Exploitation can lead to unauthorized access and complete control of the affected servers.

Exploit Mechanism

  • The vulnerability is triggered by the handling of “soft hyphens” (character code 0xAD) in PHP’s CGI mode. PHP mistakenly treats these as regular hyphens, allowing attackers to inject additional commands into the PHP interpreter.
  • The vulnerability is particularly potent in specific locales (Chinese and Japanese), but other languages may also be affected.

Affected Products

The vulnerability impacts all versions of PHP on Windows, particularly those still under active maintenance:

  • PHP 8.3 (versions before 8.3.8)
  • PHP 8.2 (versions before 8.2.20)
  • PHP 8.1 (versions before 8.1.29)

Users of XAMPP, a popular PHP development environment for Windows, are especially vulnerable due to a default configuration that exposes the PHP binary.

Potential Impact

Given the widespread use of PHP across various industries and the ease of exploitation, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access, full control of affected servers, and potential further compromise of affected networks.

Urgency for Action

DEVCORE and watchTowr have both highlighted the critical nature of this vulnerability, urging immediate action. The PHP development team released patches on June 6, 2024, to address the issue. However, users who cannot immediately update should apply temporary mitigation strategies.

Recommendations

  1. Immediate Update:
    • Upgrade to the latest versions of PHP: 8.3.8, 8.2.20, or 8.1.29, which include patches for this vulnerability.
  2. Temporary Mitigation:
    • For systems that cannot be upgraded immediately:
      • Blocking Attacks via Rewrite Rules:

Use specific rewrite rules to block attacks for Traditional Chinese, Simplified Chinese, and Japanese locales:

RewriteEngine On

RewriteCond %{QUERY_STRING} ^%ad [NC]

RewriteRule .? – [F,L]

  • Configuration Adjustments for XAMPP Users:

Comment out the ScriptAlias directive in httpd-xampp.conf:

# ScriptAlias /php-cgi/ “C:/xampp/php/”

  1. Monitor for Exploitation Attempts:
    • Actively monitor network traffic and server logs for any signs of exploitation attempts.

The discovery of CVE-2024-4577 highlights a critical security flaw in PHP, underscoring the importance of timely updates and vigilant monitoring. Organizations using PHP must act swiftly to apply patches or mitigation strategies to protect their systems from potential exploitation.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox