Critical Remote Code Execution Vulnerability in PHP Could Impact Millions of Servers

June 9, 2024

A critical remote code execution (RCE) vulnerability in the PHP programming language, tracked as CVE-2024-4577, has been identified by researchers at cybersecurity firm DEVCORE. This flaw can be exploited by unauthenticated attackers to gain full control of affected servers. PHP, a widely used open-source scripting language for web development, failed to implement the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows attackers to bypass the previous protection of CVE-2012-1823 with specific character sequences, leading to arbitrary code execution on remote PHP servers through an argument injection attack.

The vulnerability was reported to the PHP development team by Devcore researcher Orange Tsai on May 7, 2024, and a patch was released on June 6, 2024. The flaw resides in the Best-Fit feature of encoding conversion within the Windows operating system. By using specific character sequences, attackers can bypass protections for a previous vulnerability, CVE-2012-1823, enabling them to execute arbitrary code on remote PHP servers through an argument injection attack. This gives them control over vulnerable servers.

Since the vulnerability was disclosed and a PoC exploit code became publicly available, Shadowserver and GreyNoise researchers have reported multiple attempts to exploit it. Shadowserver researchers observed multiple IPs testing the vulnerability against its honeypot sensors starting on June 7th. GreyNoise researchers have also reported malicious attempts to exploit CVE-2024-4577.

The advisory from DEVCORE suggests that when Windows is running in certain locales, an unauthorized attacker can directly execute arbitrary code on the remote server. For Windows running in other locales such as English, Korean, and Western European, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios. Therefore, it is recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.

XAMPP users are vulnerable due to a default configuration that exposes the PHP binary. While XAMPP has not yet released an update for this vulnerability, DEVCORE has provided instructions to mitigate the risk of attacks. The experts recommend administrators of systems that cannot be upgraded and users of EoL versions, to apply a mod_rewrite rule to block attacks. XAMPP users should find the 'ScriptAlias' directive in the Apache configuration file and comment it out. The advisory strongly recommends all users upgrade to the latest PHP versions of 8.3.8, 8.2.20, and 8.1.29. However, since PHP CGI is an outdated and problematic architecture, it's still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.