CVE-2024-4577: PHP Injection Vulnerability in Windows Server

In respect to the disclosure of CVE-2024-4577, and its Proof of Concept (PoC) release, another security flaw is making waves in the cyber threat landscape. The newly identified CVE-2024-4577 vulnerability, affecting Windows-based PHP servers, could allow Remote Code Execution (RCE) if successfully exploited. This CGI argument injection flaw impacts all versions of PHP on Windows OS and affects all default XAMPP installations. In the blog, we will discuss more about this vulnerability in detail. 

CVE-2024-4577 Vulnerability

A new critical security flaw impacting PHP, identified as CVE-2024-4577, has emerged and could be exploited to achieve remote code execution. This CGI argument injection vulnerability affected all PHP versions on the Windows operating system. DEVCORE security researchers revealed that the flaw bypasses protections from a previous vulnerability, CVE-2012-1823, by exploiting the best-fit feature of Windows encoding conversion. As a result, arbitrary code execution is possible on remote PHP servers. 
The updates were released in PHP versions 8.3.8, 8.2.20, and 8.1.29. DEVCORE warns that XAMPP installations on Windows are particularly vulnerable when using Traditional Chinese, Simplified Chinese, or Japanese locales. Administrators should switch to more secure options such as Mod-PHP, FastCGI, or PHP-FPM. The Shadowserver Foundation detected exploitation attempts within 24 hours of disclosure, while Watchtower Labs successfully devised an exploit, emphasizing the urgency for users to apply the latest patches.

Impact of the Vulnerability

CVE-2024-4577 poses substantial risks due to its low complexity for exploitation and the publicly accessible PoC exploit code on GitHub, increasing the likelihood of real-world attacks. This situation demands a rapid response from defenders and heightened cybersecurity awareness. To address these challenges, rely on SOC Prime’s comprehensive product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation. This suite enables timely identification and resolution of cyber defense blind spots, proactive hunting for emerging threats, and prioritization of detection efforts, ensuring you stay ahead of attackers.

How Can You Determine if you’re Vulnerable to the attack?

For the common Apache HTTP Server and PHP combination, website administrators can use the two methods described in this article to check if their server is vulnerable to attacks. Scenario 2 is the default configuration for XAMPP installations on Windows, making all versions of XAMPP for Windows inherently vulnerable to this issue.

Unauthorized attackers can execute arbitrary code directly on the remote server when the Windows operating system is configured with the following languages:

• Traditional Chinese (character page 950)
• Simplified Chinese (code page 936)
• Japanese (code page 932)

For Windows operating systems running in English, Korean, and Western European languages, the extensive range of PHP usage scenarios makes it difficult to fully list and exclude all potential vulnerabilities.

Conditions of a Server Vulnerable to Attack

Below are a few conditions of a server vulnerable to attack: 

• The issue specifically affects web servers running on Windows due to how the operating system converts specific string characters based on the locale settings. As a result, web servers running on Linux remain unaffected by this vulnerability.

• The web server must also have a version of the PHP scripting engine that is vulnerable, predating the security updates issued last week.

• The web server must utilize the PHP scripting engine through the CGI mechanism. 

• The Windows operating system hosting the web server must have its system locale configured to utilize a code page that includes specific string character conversions related to the dash character. While Japanese and Chinese locales meet this requirement by default, other languages may also be vulnerable.

Preventive Measures to Mitigate Such Attacks

Addressing CVE-2024-4577 necessitates a comprehensive strategy that includes proactive measures and prompt application of patches. Key strategies for mitigation involve:

Immediate Patching

System administrators should promptly update PHP installations to the patched versions (8.3.8, 8.2.20, and 8.1.29) released by the PHP Group.

Disabling CGI Features

In vulnerable environments such as XAMPP, mitigating the risk of exploitation can be achieved by disabling PHP CGI features.

Modifying Server Configurations

Strengthening server defenses against potential exploits can be accomplished by implementing mod_rewrite rules, which enhance current security measures.

Kratikal a CERT-In empanelled auditor offers comprehensive Vulnerability Assessment and Penetration Testing (VAPT) services to safeguard organizations against critical vulnerabilities like CVE-2024-4577. Our expert team ensures proactive identification and mitigation of security risks through thorough assessments and prompt patching recommendations. By disabling vulnerable PHP CGI features and implementing mod_rewrite rules, we protect server configurations to strengthen digital assets against potential exploits. 

Trust Kratikal for robust cybersecurity solutions that prioritize your organization’s resilience against emerging threats. 

Conclusion

The CVE-2024-4577 vulnerability underscores the critical importance of maintaining up-to-date security practices and being vigilant about emerging threats. This newly identified CGI argument injection flaw poses a serious risk, particularly to Windows-based PHP servers and default XAMPP installations. The low complexity of the exploit and the availability of PoC code on GitHub significantly increase the likelihood of real-world attacks.

To mitigate the risks associated with CVE-2024-4577, it is imperative for system administrators to act swiftly. Updating PHP to the latest patched versions is crucial, alongside disabling CGI features in vulnerable environments and employing mod_rewrite rules to bolster server defenses. Comprehensive asset inventories and regular updates are essential, especially for systems using locales that default to vulnerable code pages. 

FAQs