Vulnerable PHP CVE facing exploitation ease, according to research findings
A critical remote code execution vulnerability, identified as CVE-2024-4577, has been discovered in PHP, affecting Windows systems. This vulnerability, initially uncovered during offensive research by Devcore, is causing concern due to its potential for widespread exploitation.
The Vulnerability and Its Implications
The vulnerability is linked to errors in character encoding conversions that impact the "best fit" feature in Windows, and it can be exploited only when PHP scripting is exposed by the web server via the CGI mechanism. The exploit targets PHP running in CGI mode, making Windows systems particularly vulnerable.
Researchers have identified over 458,000 potentially vulnerable instances, primarily in the U.S. and Germany. The vulnerability's critical nature is underscored by the widespread use of PHP in the web ecosystem.
Active Exploitation and Potential Threats
The vulnerability is being leveraged to deliver ransomware, according to researchers. Active exploitation has been observed, targeting financial services, healthcare, and other sectors in the U.S. and Brazil.
Recommended Mitigation Steps
The primary and most effective mitigation is to upgrade PHP to a non-vulnerable version and disable PHP-CGI mode if it is enabled. Here are the recommended steps:
- Upgrade PHP: Immediately update PHP to versions 8.3.8 or later, 8.2.20 or later, or 8.1.29 or later, as these contain fixes for this vulnerability.
- Disable PHP-CGI mode: Since the exploit targets PHP running in CGI mode, disabling this mode reduces attack surface.
- Apply Virtual Patching or Web Application Firewall (WAF) Rules: Virtual patches can block exploit attempts, providing temporary protection while upgrading PHP.
- Review Server Locale Settings and Configuration: The vulnerability is known to specifically affect systems with Traditional Chinese, Simplified Chinese, and Japanese locales running PHP-CGI mode on Windows. Verifying and hardening locale and configuration can help reduce risk.
- Monitor for Indicators of Compromise (IoCs): Given the active exploitation, monitoring network traffic and logs for suspicious PHP-CGI activity is advised.
Other Mitigation Measures
Researchers at WatchTowr advise upgrading to the most recent installations, particularly for those running versions in Chinese and Japanese languages due to the low complexity of the bug. However, the risk remains for versions in other languages, including English, so it's crucial to take mitigation steps regardless of the language used.
The Windows operating system of the web server needs to have its system locale set to a code page that performs a specific string character conversion related to the dash character. Japanese and Chinese pages meet this requirement by default.
CVSS Score and Further Investigations
The CVSS score of the vulnerability is 9.8, indicating a high severity level. Researchers at Shadowserver have reported multiple IPs testing the vulnerability against its honeypot sensors, underscoring the urgency for system administrators to take action.
Stay vigilant and ensure your systems are up-to-date to protect against this critical vulnerability.
[1] CVE-2024-4577 advisory [2] Imperva report [5] WAF vendor advisory
The vulnerability identified as CVE-2024-4577, discovered in PHP and causing concern due to its potential for widespread exploitation, is being leveraged to deliver ransomware. To mitigate this risk, it is recommended to not only upgrade PHP to a non-vulnerable version but also disable PHP-CGI mode if it is enabled, as this mode targets the exploit. Additionally, implementing virtual patching or Web Application Firewall (WAF) rules, reviewing server locale settings, and monitoring for Indicators of Compromise (IoCs) can further improve cybersecurity. Researchers suggest that upgrading to the most recent installations is crucial, especially for servers running versions in Chinese and Japanese languages, although the risk remains for other languages as well.
