SUBJECT: CVE-2024-4577 PHP-CGI Argument Injection Vulnerability
TECH STACK: PHP versions 8.1., 8.2., and 8.3.* on Windows with Apache and PHP-CGI
DATE(S) ISSUED: 06/07/2024
CRITICALITY: HIGH
OVERVIEW:
CVE-2024-4577 is a severe argument injection vulnerability in PHP that can be exploited for Remote Code Execution (RCE). This flaw stems from errors in character encoding conversions, particularly the “Best-Fit” feature on Windows systems using Apache and PHP-CGI. Unauthenticated attackers can exploit this vulnerability by manipulating URL parameters to execute arbitrary code on the affected system.
THREAT INTELLIGENCE:
This vulnerability has been actively exploited to deploy ransomware such as TellYouThePass, making it a significant threat. It affects all PHP versions for Windows prior to 8.1.29, 8.2.20, and 8.3.8. The Shadowserver Foundation has reported multiple IP addresses scanning for vulnerable servers.
SOLUTION:
Steps to Mitigate:
- Upgrade PHP:
- Upgrade to PHP versions 8.3.8, 8.2.20, or 8.1.29, which include patches for this vulnerability.
- Download the latest versions from the official PHP website.
- Apply Temporary Mitigations (if upgrade is not immediately possible):
- For users who cannot upgrade PHP immediately, apply the following Apache Rewrite Rules to block attacks:apache
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L] - For XAMPP users on Windows, if the PHP CGI feature is not required, disable it by editing the Apache configuration file (
C:/xampp/apache/conf/extra/httpd-xampp.conf):apache# ScriptAlias /php-cgi/ "C:/xampp/php/"
- For users who cannot upgrade PHP immediately, apply the following Apache Rewrite Rules to block attacks:apache
- Verify Configuration:
- Ensure that the patches or mitigations are correctly applied by checking the server configurations and running security scans using tools like Nessus or other vulnerability scanners.
- Consider Migration to More Secure Architectures:
- Evaluate migrating to more secure PHP execution methods such as Mod-PHP, FastCGI, or PHP-FPM, as PHP-CGI is outdated and more prone to such vulnerabilities.
REFERENCES:
