Critical Remote Code Execution Vulnerability in PHP for Windows: All Versions Impacted

June 7, 2024

A newly revealed remote code execution (RCE) vulnerability in PHP for Windows, tracked as CVE-2024-4577, could potentially affect a large number of servers globally. This vulnerability is present in all PHP versions since 5.x. PHP, an open-source scripting language widely used for web development, is commonly deployed on both Windows and Linux servers. The flaw was discovered by Devcore Principal Security Researcher Orange Tsai, who reported it to the PHP developers.

The PHP project team released a patch to address this vulnerability recently. However, due to the widespread use of PHP, applying these security updates could be complex, potentially leaving many systems vulnerable for an extended period. Once a critical vulnerability is disclosed, threat actors and researchers typically begin searching for vulnerable systems immediately. The Shadowserver Foundation has already reported detecting multiple IP addresses scanning for susceptible servers related to CVE-2024-4577.

The CVE-2024-4577 flaw arises from an oversight in handling character encoding conversions, specifically the 'Best-Fit' feature on Windows when PHP is used in CGI mode. A Devcore advisory explains, "While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack." This vulnerability bypasses previous protections implemented for CVE-2012-1823, which was exploited in malware attacks several years after its resolution.

Even if PHP is not configured in CGI mode, the vulnerability might still be exploitable if PHP executables are in directories accessible by the web server. This is particularly concerning for XAMPP installations on Windows, which are likely to be vulnerable due to their default configuration. The problem is exacerbated when certain locales more susceptible to this encoding conversion flaw, such as Traditional Chinese, Simplified Chinese, and Japanese, are used.

To mitigate the CVE-2024-4577 vulnerability, users of PHP 8.0 (End of Life), PHP 7.x (EoL), or PHP 5.x (EoL) are advised to upgrade to a newer version or apply suggested mitigations. For those using supported PHP versions, they should upgrade to versions that include the patches: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29. For systems that can't be upgraded immediately and users of EoL versions, it's recommended to apply a mod_rewrite rule to block attacks. DEVCORE also recommends system administrators consider migrating from CGI to more secure alternatives, like FastCGI, PHP-FPM, and Mod-PHP.

Related News

• CISA Issues Cybersecurity Guidelines for Healthcare and Public Health Entities

Latest News

• Surge in Attacks on Check Point VPN Zero-Day Flaw: An Urgent Call for Immediate Action
• RansomHub Ransomware Actors Exploit ZeroLogon Vulnerability in Recent Attacks
• High-Profile TikTok Accounts Hacked Through Direct Messages
• Zyxel Rolls Out Urgent Security Patch for End-of-Life NAS Devices
• DarkGate Malware Upgrades: Shifts from AutoIt to AutoHotkey in Recent Cyber Attacks