Context
A new PHP for Windows remote code execution (RCE) vulnerability has been disclosed, impacting all releases since version 5.x, potentially impacting a massive number of servers worldwide. The new RCE flaw, tracked as CVE-2024-4577, was discovered by Devcore Principal Security Researchers on 7 May 2024, who reported it to the PHP developers. PHP project maintainers released a patch on 6 Jun 2024, addressing the vulnerability.
Community Impact
PHP is a widely used open-source scripting language designed for web development and commonly used on both Windows and Linux servers, both in the retail and hospitality sectors. As Devcore has stated, CVE-2024-4577 vulnerability impacts all versions of PHP for Windows. If RH-ISAC Members are utilizing PHP 8.0 (End of Life), PHP 7.x (EoL), or PHP 5.x (EoL), Members are advised to upgrade to a newer version or use the mitigations below.
Background
CVE-2024-4577 is caused by an oversight in handling character encoding conversions, specifically the ‘Best-Fit’ feature on Windows when PHP is used in CGI mode. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.
This flaw circumvents the protections the PHP team had implemented in the past for CVE-2012-1823, which was exploited in malware attacks several years after its remediation. Analysts explain that even if PHP is not configured in CGI mode, CVE-2024-4577 might still be exploitable if the PHP executables (e.g., php.exe or php-cgi.exe) are in directories accessible by the web server.
Due to this being the default configuration on XAMPP for Windows, DEVCORE warns that all XAMPP installations on Windows are likely vulnerable.
Recommendations
Members utilizing supported PHP versions should upgrade to the versions that incorporate the patches: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.
For systems that cannot be immediately upgraded and users of EoL versions, it is highly recommended to apply a mod_rewrite rule to block attacks, like the following:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]
If Members use XAMPP and do not need the PHP CGI feature, find the ‘ScriptAlias’ directive in the Apache configuration file (typically at ‘C:/xampp/apache/conf/extra/httpd-xampp.conf’) and comment it out. Admins can determine if they use PHP-CGI using the phpinfo() function and checking the ‘Server API’ value in the output.
Devcore also suggests that system administrators consider migrating from CGI to more secure alternatives, like FastCGI, PHP-FPM, and Mod-PHP.