Critical vulnerability discovered in PHP CGI: how to protect your systems from CVE-2024-4577
Find out how a security flaw in PHP CGI threatens your Windows servers and what immediate steps to take to protect yourself
Akamai has discovered a serious vulnerability in PHP (CVE-2024-4577) that allows remote code execution on Windows systems with CGI configurations. Bad actors can exploit it to spread malware and crypto mining attacks. Installing patches and using WAF is critical for protection.
Akamai Technologies' Security Intelligence Response Team (SIRT) has identified a dangerous vulnerability in PHP, known as CVE-2024-4577. This flaw affects PHP installations running in CGI mode, a protocol for interaction between web servers and external programs. The vulnerability primarily impacts Windows operating systems localized in Chinese and Japanese, but the full extent of vulnerable installations is still under investigation. Just 24 hours after the vulnerability was published, the SIRT team detected numerous exploit attempts, highlighting the severity and speed with which cyber threat actors adopted it. Attackers exploit this flaw to perform remote code execution (RCE) via command injection, including malware campaigns such as Gh0stRAT and crypto miners such as RedTail and XMRig.
Vulnerability mechanism and potential exploits
The vulnerability is caused by the way PHP and CGI handlers interpret some Unicode characters. Attackers can send malicious PHP code that is misinterpreted due to the flaw. The exploit uses the php://input method to embed code in the body of the HTTP request, manipulating options such as auto_prepend_file and allow_url_include. Even though the input strings appear identical, they differ in their use of Unicode characters: a standard hyphen (0x2D) vs a "soft hyphen" (0xAD). This differentiation allows the attack to bypass checks and add extra arguments to the command line, increasing the versatility of the exploit.
Detailed analysis of the malware involved
Among the exploits identified, Gh0stRAT was detected in Akamai honeypots, used to attract and analyze cyber attacks. This malware uses UPX packing to manipulate HTTP installations and spread malicious payloads, including additional malware from remote servers. The RedTail Crypto Miner deploys a shell script to download and execute crypto mining malware, targeting directories with specific permissions. The Muhstik campaign uses a shell script to download an ELF file, intended for crypto mining and DDoS attacks, while XMRig uses PowerShell to download and execute scripts from a remote mining pool, then completing cleanup operations to hide the 'attack.
Recommendations and safety measures
Akamai strongly recommends immediately applying necessary patches and monitoring systems for indicators of compromise (IoC). Customers using Akamai's Web Application Firewall (WAF) and Adaptive Security Engine are already protected from these threats, thanks to the specific rules and configurations provided. Implementing these solutions is critical to ensuring a robust defense against the multiple forms of attacks that exploit the CVE-2024-4577 vulnerability. These preventative measures help maintain the integrity of your systems and prevent future compromises.
Follow us on Facebook for more pills like this07/12/2024 08:01
Marco Verro