CVE-2024-4577: 
PHP vulnerability analysis and mitigation

Summary

Researchers discovered a critical remote code execution vulnerability in PHP CGI, assigned CVE-2024-4577, affecting all Windows versions of PHP CGI. This vulnerability allows unauthenticated attackers to execute arbitrary code on remote servers via argument injection, bypassing previous protections. A patch was released on June 6, 2024, and users are strongly advised to update to the latest PHP versions or apply temporary mitigations. Wiz added a detection based on early details of the vulnerability, and will update it as new ones come to light.

Technical details

The vulnerability stems from the oversight of the Best-Fit feature in Windows’ encoding conversion while implementing PHP. This oversight enables attackers to bypass the protections of a previous vulnerability, CVE-2012-1823, using specific character sequences. The vulnerability affects PHP versions below 8.3.8, 8.2.20, and 8.1.29 on Windows operating systems. Attack scenarios include configurations running PHP under CGI mode or exposing the PHP binary, such as in XAMPP installations.

The vulnerability has been proven as exploitable on Windows systems using Traditional Chinese, Simplified Chinese, and Japanese locales. For other locales like English and Western European, comprehensive asset assessments and PHP updates are recommended due to the wide range of potential exploitation scenarios.

Affected products

The following versions of PHP are impacted by this vulnerability:

• PHP 8.3 before version 8.3.8

• PHP 8.2 before version 8.2.20

• PHP 8.1 before version 8.1.29

PHP 8.0, PHP 7, and PHP 5 are End-of-Life, which are no longer maintained, and are also assumed to be vulnerable.

Remediation

Upgrade to the latest PHP versions (8.3.8, 8.2.20, 8.1.29). PHP 8.0, PHP 7, and PHP 5 are End-of-Life, and are no longer maintained anymore. It is recommended to upgrade to a newer branch or use the temporary recommendations in the Mitigation section.

Mitigation

For those unable to upgrade, apply the provided Rewrite Rules to block attacks. Note that these rules are only a temporary mitigation for Traditional Chinese, Simplified Chinese, and Japanese locales. It is still recommended to update to a patched version or migrate the architecture in practice.

Rewrite rules:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L]

XAMPP users should disable the PHP CGI feature if not needed by commenting out the relevant lines in the Apache HTTP Server configuration.

# ScriptAlias /php-cgi/ “C:/xampp/php/”

References

• Devcore’s blog

• Proof-of-concept