A brand new PHP for Home windows distant code execution (RCE) vulnerability has been disclosed, impacting all releases since model 5.x, probably impacting an enormous variety of servers worldwide.
PHP is a broadly used open-source scripting language designed for internet growth and generally used on each Home windows and Linux servers.
The brand new RCE flaw tracked as CVE-2024-4577, was found by Devcore Principal Safety Researcher Orange Tsai on Might 7, 2024, who reported it to the PHP builders.
The PHP venture maintainers launched a patch yesterday, addressing the vulnerability.
Nonetheless, the applying of safety updates on a venture with such a large-scale deployment is difficult and will probably go away a big variety of techniques susceptible to assaults for prolonged intervals.
Sadly, when a essential vulnerability impacting many units is disclosed, menace actors and researchers instantly start searching for susceptible techniques.
Such is the case with CVE-2024-4577, as The Shadowserver Basis has already detected a number of IP addresses scanning for susceptible servers.
The CVE-2024-4577 flaw
The CVE-2024-4577 flaw is attributable to an oversight in dealing with character encoding conversions, particularly the ‘Finest-Match’ function on Home windows when PHP is utilized in CGI mode.
“Whereas implementing PHP, the group didn’t discover the Finest-Match function of encoding conversion inside the Home windows working system,” explains a DevCore advisory.
“This oversight permits unauthenticated attackers to bypass the earlier safety of CVE-2012-1823 by particular character sequences. Arbitrary code may be executed on distant PHP servers via the argument injection assault.”
This flaw circumvents the protections the PHP group had carried out prior to now for CVE-2012-1823, which was exploited in malware assaults a number of years after its remediation.
The analysts clarify that even when PHP will not be configured in CGI mode, CVE-2024-4577 would possibly nonetheless be exploitable so long as the PHP executables (e.g., php.exe or php-cgi.exe) are in directories which might be accessible by the online server.
As a result of this being the default configuration on XAMPP for Home windows, DEVCORE warns that every one XAMPP installations on Home windows are doubtless susceptible.
The problem is worse when sure locates which might be extra inclined to this encoding conversion flaw are used, together with Conventional Chinese language, Simplified Chinese language, and Japanese.
As Devcore says the CVE-2024-4577 vulnerability impacts all variations of PHP for Home windows, if you’re utilizing PHP 8.0 (Finish of Life), PHP 7.x (EoL), or PHP 5.x (EoL), you both have to improve to a more recent model or use the mitigations described under.
Remediation technique
These utilizing supported PHP variations ought to improve to the variations that incorporate the patches: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.
For techniques that can not be instantly upgraded and customers of EoL variations, it’s endorsed to use a mod_rewrite rule to dam assaults, like the next:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%advert [NC]
RewriteRule .? – [F,L]
In case you use XAMPP and don’t want the PHP CGI function, discover the ‘ScriptAlias’ directive within the Apache configuration file (sometimes at ‘C:/xampp/apache/conf/further/httpd-xampp.conf’) and remark it out.
Admins can decide in the event that they use PHP-CGI utilizing the phpinfo() operate and checking the ‘Server API‘ worth within the output.
DEVCORE additionally means that system directors think about migrating from CGI to safer options, like FastCGI, PHP-FPM, and Mod-PHP.