1 min read

Mitigation Instructions for CVE-2024-4577

Mitigation Instructions for CVE-2024-4577

SUBJECT: CVE-2024-4577 PHP-CGI Argument Injection Vulnerability

TECH STACK: PHP versions 8.1., 8.2., and 8.3.* on Windows with Apache and PHP-CGI

DATE(S) ISSUED: 06/07/2024

CRITICALITY: HIGH

OVERVIEW:

CVE-2024-4577 is a severe argument injection vulnerability in PHP that can be exploited for Remote Code Execution (RCE). This flaw stems from errors in character encoding conversions, particularly the "Best-Fit" feature on Windows systems using Apache and PHP-CGI. Unauthenticated attackers can exploit this vulnerability by manipulating URL parameters to execute arbitrary code on the affected system.

THREAT INTELLIGENCE:

This vulnerability has been actively exploited to deploy ransomware such as TellYouThePass, making it a significant threat. It affects all PHP versions for Windows prior to 8.1.29, 8.2.20, and 8.3.8. The Shadowserver Foundation has reported multiple IP addresses scanning for vulnerable servers.

SOLUTION:

Steps to Mitigate:

  1. Upgrade PHP:

    • Upgrade to PHP versions 8.3.8, 8.2.20, or 8.1.29, which include patches for this vulnerability.
    • Download the latest versions from the official PHP website.
  2. Apply Temporary Mitigations (if upgrade is not immediately possible):

    • For users who cannot upgrade PHP immediately, apply the following Apache Rewrite Rules to block attacks:
      apache
       
      RewriteEngine On
      RewriteCond %{QUERY_STRING} ^%ad [NC]
      RewriteRule .? - [F,L]
    • For XAMPP users on Windows, if the PHP CGI feature is not required, disable it by editing the Apache configuration file (C:/xampp/apache/conf/extra/httpd-xampp.conf):
      apache
       
      # ScriptAlias /php-cgi/ "C:/xampp/php/"
  3. Verify Configuration:

    • Ensure that the patches or mitigations are correctly applied by checking the server configurations and running security scans using tools like Nessus or other vulnerability scanners.
  4. Consider Migration to More Secure Architectures:

    • Evaluate migrating to more secure PHP execution methods such as Mod-PHP, FastCGI, or PHP-FPM, as PHP-CGI is outdated and more prone to such vulnerabilities.

REFERENCES: