TLP Clear HC3 Sector Alert Critical Vulnerability in PHP Programming Language – June 12, 2024

Overview

Administrators are being advised to update their systems following the disclosure of a critical remote code execution vulnerability in PHP. PHP, or Hypertext Preprocessor, is a widely used open-source scripting language that is used to create dynamic web pages and applications on both Windows and Linux servers. It is a general-purpose language that can be embedded into HTML, which makes it popular with developers because it simplifies HTML code. The vulnerability, discovered on May 7, 2024, and now tasked as CVE-2024-4577, impacts all releases since version 5.x, potentially impacting a massive number of servers worldwide. This Sector Alert provides an overview of the vulnerability and remediation strategies.

Report

The CVE-202404577 vulnerability affects all versions of PHP running on a Windows device. That includes version branches 8.3 prior to 8.3.8, 8.2 prior to 8.2.20, and 8.1 prior to 8.1.29. The 8.0, 7, and 5 version branches are also vulnerable, but because they are no longer supported, admins will have to follow mitigation advice since patches are not available.

The vulnerability is actually a recurrence of an argument injection bug that was patched more than a decade ago. In 2012, while implementing PHP, an overlooked Best-Fit feature of encoding conversion within the Windows operating system allowed unauthenticated attackers to bypass the previous protecton of CVE-2012-1823 by specific character sequences.

The newly discovered vulnerability occurs when a server of PC is running in certain configurations that expose Common Gateway Interface (CGI), which enables web servers to execute an external program to process HTTP or HTTPS user requests. This means that when PHP is configured to allow certain types of CGI interaction, arbitrary arguments can be injected remotely. This, in turn, would allow a potential attacker to trigger code execution on the targeted server and take complete control.

CVE-2024-4577 affects PHP only when it runs in CGI mode, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP is not set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is set by default in XAMPP for Windows, making the platform vulnerable unless it has been modified.

The researcher credited with discovering this vulnerability stated that while it is difficult to assess whether a machine is vulnerable to the attack scenario, some systems are more vulnerable than others. While Windows systems running Japanese, traditional Chinese, or simplified Chinese are all presumed to be vulnerable, the danger for other systems depends on whether CGI mode is enabled or the PHP binary is exposed. For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios.

Despite only being discovered a few days ago, cybersecurity researchers have already confirmed detected exploitation attempts involving the flaw against its honeypot servers within 24 hours of public disclosure of the vulnerability. As with any critical vulnerability impacting many devices, once disclosed, both threat actors and researchers immediately began attempting to find vulnerable systems.

View the detailed report below.