New versions of PHP address a critical vulnerability that could lead to arbitrary PHP code execution

Threat ID:CC-4508

Threat Severity:Medium

Published:11 June 2024 12:48 PM

Summary

Affected platforms

The following platforms are known to be affected:

Versions: Windows OS Versions 8.1 to 8.1.29 | 8.2 to 8.2.20 | 8.3 to 8.3.8

PHP

Threat details

End-of-life versions also affected

Following the release of PHP 8.0, PHP 7 and PHP 5 are end-of-life (EOL) and are no longer maintained. Refer to the "Am I Vulnerable?" section of the DEVCORE security alert to review possible mitigation.

Introduction

DEVCORE has discovered a critical security vulnerability in PHP versions installed on Microsoft Windows operating system (OS). PHP is a widely used open-source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

The CGI argument injection vulnerability is known as CVE-2024-4577 and has a CVSSv3.1 score of 9.8. An attacker could exploit this vulnerability to execute arbitrary PHP code on vulnerable instances.

Active Exploitation of CVE-2024-4577

A public proof-of-concept is available for this vulnerability and security researchers have observed exploitation attempts in the wild.

Remediation advice

Affected organisations are encouraged to review the DEVCORE security alert and follow the remediation guidance as soon as possible.

Definitive source of threat updates

https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/

CVE Vulnerabilities

StatusPublished

CVE-2024-4577In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Last edited: 11 June 2024 12:48 pm