PHP Critical Vulnerability Faces Attacks - Research Indicates Ease of Exploitation

PHP Critical Vulnerability Faces Attacks - Research Indicates Ease of Exploitation

Critical PHP Vulnerability Affects Thousands of Servers Worldwide

A critical remote code execution vulnerability, CVE-2024-4577, has been discovered in PHP on Windows operating systems, putting over 458,000 potentially vulnerable instances, primarily in the U.S. and Germany, at risk. The vulnerability, first identified by Devcore during offensive research, has been linked to an older flaw, CVE-2012-1823.

According to researchers at Censys, a remote, unauthenticated attacker can execute arbitrary PHP code on a vulnerable web server exposed to the internet. The vulnerability is related to errors in character encoding conversions that affect the "best fit" feature in Windows. Servers running a vulnerable version of the PHP scripting engine before the security updates issued last week are at risk.

The CVSS score of the vulnerability is 9.8, indicating high severity. Researchers at WatchTowr advise immediate upgrade for servers running versions in Chinese and Japanese languages, and mitigation steps for those running versions in other languages.

Mitigation Steps

The recommended steps for mitigating CVE-2024-4577 are as follows:

1. Update PHP: Immediately update PHP to a fixed or patched version. The most effective mitigation is to upgrade PHP to the latest version that addresses CVE-2024-4577.
2. Disable or avoid PHP in CGI mode on Windows: Since the vulnerability is specifically tied to the CGI mode operation on Windows servers, disabling CGI mode or switching to a different PHP handler (such as FastCGI or running PHP as a module in IIS) can reduce risk.
3. Virtual patching or temporary mitigations: Organizations that cannot immediately upgrade PHP can utilize virtual patching through Web Application and API Protection (WAAP) platforms or web application firewalls to block exploitation attempts targeting CVE-2024-4577.
4. Monitor security advisories and threat intelligence feeds: Stay vigilant by subscribing to threat intelligence updates and early alerts regarding this vulnerability to detect active exploitation attempts and apply mitigation measures promptly.
5. Review server and application logs: Attackers often leave traces in logs. Monitoring for unusual activity can help identify and respond to exploitation attempts early.
6. Limit exposure of PHP CGI interfaces to untrusted networks: Restrict access using firewall rules or network segmentation to limit the attack surface accessible to unauthorized users.

Attacks Already Reported

Researchers at Imperva have reported thousands of attacks against financial services, healthcare, and other targets in the U.S. and Brazil, leveraging the vulnerability to deliver ransomware. Additionally, researchers at Shadowserver reported multiple IPs testing the vulnerability against their honeypot sensors.

The Windows operating system of the web server needs to have its system locale set to use a code page that performs a specific string character conversion related to the dash character. Japanese and Chinese pages meet this requirement by default, but other languages are also vulnerable. PHP scripting must be exposed by the web server via the CGI mechanism for a server to be vulnerable.

In conclusion, the critical nature of CVE-2024-4577 necessitates prompt patching and reduction of attack vectors. Organizations are advised to follow the recommended mitigation steps and stay vigilant for updates and threats related to this vulnerability.

1. The discovered vulnerability, CVE-2024-4577, in PHP is linked to a rise in reported ransomware attacks, especially targeting financial services, healthcare, and other sectors in the U.S. and Brazil.
2. It is crucial to heed cybersecurity advice, such as updating PHP to a patched version, disabling or avoiding PHP in CGI mode on Windows, and employing virtual patching or temporary mitigations to counter this high-severity vulnerability.
3. Since the length of time a server remains unpatched increases its susceptibility to cyberattacks, it is essential for general-news readers to be aware of this vulnerability and the recommended mitigation steps to enhance their cybersecurity.

Read also: