www.belgium.be Logo of the federal government

Warning: PHP Remote Code Execution, Patch Immediately!

Reference: 
Advisory #2024-82
Version: 
2.0
Affected software: 
PHP for Windows:
PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-4577: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Vendor Advisory (Publication TBD): https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv
 

Risks

CVE-2024-4577 is a critical remote code execution (RCE) vulnerability affecting the PHP CGI component of PHP installed on Windows Operating Systems. Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system. This would highly affect the confidentiality, integrity, and availability.

Security researchers confirmed exploitation on Windows platforms running in the traditional Chinese (cp950), Simplified Chinese (cp936) and Japanese (cp932) locales. For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios.

Update 13/06/2024: This vulnerability is actively exploited by the ransomware group TellYouThePass.

Description

PHP, recursive acronym for PHP: Hypertext Preprocessor, is a general-purpose scripting language geared towards web development. PHP code is usually processed on a web server by a PHP interpreter implemented as a module, a daemon or a Common Gateway Interface (CGI) executable. This latest component is affected by the vulnerability CVE-2024-4577.

When configuring the Action directive to map corresponding HTTP requests to a PHP-CGI executable binary in Apache HTTP Server, this vulnerability can be exploited directly. Even if PHP is not configured under the CGI mode, exposing the PHP executable binary in the CGI directory is affected by this vulnerability. Although PHP-CGI has gradually been phased out over time, this vulnerability affects XAMPP for Windows by default.

CVE-2024-4577 allows an unauthenticated remote attacker to circumvent the protections the PHP team had implemented in the past for CVE-2012-1823, another PHP RCE vulnerability. This implies that, next to the PHP versions mentioned above End of Life (EoL) PHP versions such as 5.x, 6.x, 7.x and 8.0.x are also vulnerable. Successful exploitation results in execution of arbitrary commands on the underlying operating system.

Security researchers confirmed exploitation on Windows platforms running one of following locales:
•    Traditional Chinese (Code Page 950)
•    Simplified Chinese (Code Page 936)
•    Japanese (Code Page 932)

For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios.

Shortly after the vulnerability disclosure exploit Proof of Concept (PoC) code was published. Starting June 7th several OSINT sources reported on observed CVE-2024-4577 scanning activity. At the time of writing there is no available information yet about the vulnerabilities being exploited in the wild by threat actors.

 

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.

Scope
If it does not exist yet, create an inventory that includes all the infrastructure from your organisation and check per entry if PHP is used. Note certain appliances and software packages might include a copy of PHP in their installation package.

Patch
The Centre for Cyber Security Belgium strongly recommends installing updates for vulnerable setups with the highest priority, after thorough testing. Since the security researchers indicated they can not eliminate all potential exploitation scenarios, the Centre for Cyber Security Belgium also strongly encourages patching installing updates for vulnerable software with the highest priority, after thorough testing.

Mitigate
For vulnerable systems that cannot be upgraded, the security researchers provided instructions which can be used to temporarily mitigate the vulnerability. However it is also advised to migrate from PHP CGI to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM. Also verify the PHP binary is not accidentally exposed to the internet.

Monitor/Detect
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. In case of an intrusion, please report the incident via: https://cert.be/en/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. It is thus advised to also check historic logs.
 

References

Security researcher: https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/

Security researcher: https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html

Vulnerability researcher: https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/