A brand new PHP for Home windows distant code execution (RCE) vulnerability has been disclosed, impacting all releases since model 5.x, doubtlessly impacting an enormous variety of servers worldwide.
PHP is a broadly used open-source scripting language designed for net improvement and generally used on each Home windows and Linux servers.
The brand new RCE flaw tracked as CVE-2024-4577, was found by Devcore Principal Safety Researcher Orange Tsai on Might 7, 2024, who reported it to the PHP builders.
The PHP challenge maintainers launched a patch yesterday, addressing the vulnerability.
Nevertheless, the applying of safety updates on a challenge with such a large-scale deployment is difficult and will doubtlessly go away a major variety of techniques weak to assaults for prolonged durations.
Sadly, when a vital vulnerability impacting many units is disclosed, menace actors and researchers instantly start looking for weak techniques.
Such is the case with CVE-2024-4577, as The Shadowserver Basis has already detected a number of IP addresses scanning for weak servers.
The CVE-2024-4577 flaw
The CVE-2024-4577 flaw is attributable to an oversight in dealing with character encoding conversions, particularly the ‘Finest-Match’ function on Home windows when PHP is utilized in CGI mode.
“Whereas implementing PHP, the staff didn’t discover the Finest-Match function of encoding conversion throughout the Home windows working system,” explains a DevCore advisory.
“This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.”
This flaw circumvents the protections the PHP staff had applied previously for CVE-2012-1823, which was exploited in malware assaults a number of years after its remediation.
The analysts clarify that even when PHP just isn’t configured in CGI mode, CVE-2024-4577 would possibly nonetheless be exploitable so long as the PHP executables (e.g., php.exe or php-cgi.exe) are in directories which can be accessible by the net server.
Attributable to this being the default configuration on XAMPP for Home windows, DEVCORE warns that each one XAMPP installations on Home windows are possible weak.
The difficulty is worse when sure locates which can be extra prone to this encoding conversion flaw are used, together with Conventional Chinese language, Simplified Chinese language, and Japanese.
As Devcore says the CVE-2024-4577 vulnerability impacts all variations of PHP for Home windows, if you’re utilizing PHP 8.0 (Finish of Life), PHP 7.x (EoL), or PHP 5.x (EoL), you both must improve to a more recent model or use the mitigations described under.
Remediation technique
These utilizing supported PHP variations ought to improve to the variations that incorporate the patches: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.
For techniques that can not be instantly upgraded and customers of EoL variations, it is strongly recommended to use a mod_rewrite rule to dam assaults, like the next:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%advert [NC]
RewriteRule .? – [F,L]
In case you use XAMPP and don’t want the PHP CGI function, discover the ‘ScriptAlias’ directive within the Apache configuration file (sometimes at ‘C:/xampp/apache/conf/further/httpd-xampp.conf’) and remark it out.
Admins can decide in the event that they use PHP-CGI utilizing the phpinfo() operate and checking the ‘Server API‘ worth within the output.
DEVCORE additionally means that system directors think about migrating from CGI to safer options, like FastCGI, PHP-FPM, and Mod-PHP.