Serious security flaw in PHP on Windows server in CGI mode
CVE-2024-4577 vulnerability details and essential mitigations for PHP servers on Windows in CGI mode
DEVCORE has discovered a serious vulnerability (CVE-2024-4577) in PHP on Windows in CGI mode, which allows remote code execution. It affects several versions of PHP and poses a critical risk to servers. Immediate updating of PHP is recommended.
In the world of cybersecurity, Taiwanese company DEVCORE has identified a significant vulnerability in PHP installations on Windows in CGI mode. The vulnerability, identified with code CVE-2024-4577, does not yet have a specific CVSS score but allows attackers to manipulate command line arguments, leading to the possibility of remote code execution (RCE). According to DEVCORE, the problem has its roots in the old vulnerability CVE-2012-1823, since the new bug allows you to bypass the security measures introduced against the latter by using particular character sequences.
Affected PHP versions and risk to websites
The CVE-2024-4577 security flaw affects numerous versions of PHP on Windows servers, specifically: PHP 8.3 through 8.3.8, PHP 8.2 through 8.2.20, and PHP 8.1 through 8.1.29. The widespread diffusion of PHP within the web ecosystem, together with the simplicity of exploiting this flaw, have led experts to classify the vulnerability as critical. Immediately reported to the official PHP team, the vulnerability was made public only after the release of the corrected PHP versions, available for download from the official website. Experts estimate that the vulnerability could affect millions of websites and services hosted on Windows servers running PHP in CGI mode.
Impact on Windows servers in different locations
At the time of disclosure, it has been confirmed that an unauthorized malicious actor can execute arbitrary code on a remote server in specific interface locales, specifically: Traditional Chinese, Simplified Chinese, and Japanese. For other Windows instances in other localizations, given the wide range of uses of PHP, researchers cannot yet rule out other possible ways of exploitation. System administrators are therefore strongly encouraged to conduct their own security assessments, review their use cases, and update PHP to the latest available version to maintain the security of their systems.
Immediate action and safety recommendations
WatchTowr Labs researchers have already created and made public an exploit for this vulnerability, calling it easily replicable. Therefore, immediately updating PHP to the correct version is crucial to avoid potential attacks. To mitigate further risks, IT managers are also advised to regularly review server configurations, perform security audits, and train staff in the secure use and management of systems. Despite the criticality of the situation, taking these measures quickly can significantly reduce the risk of compromise.
Follow us on Instagram for more pills like this06/08/2024 20:22
Marco Verro