Critical RCE vulnerability in PHP CGI: everything you need to know

Detect and mitigate CVE-2024-4577, a critical remote code execution vulnerability in PHP CGI. Organizations are advised to patch urgently.

3 minutes read

Researchers discovered a critical remote code execution vulnerability in PHP CGI, assigned CVE-2024-4577, affecting all Windows versions of PHP CGI. This vulnerability allows unauthenticated attackers to execute arbitrary code on remote servers via argument injection, bypassing previous protections. A patch was released on June 6, 2024, and users are strongly advised to update to the latest PHP versions or apply temporary mitigations.

June 16 update:

The TellYouThePass ransomware gang has been exploiting the recently patched vulnerability (CVE-2024-4577) in PHP to deploy webshells and execute their encryptor payload on target systems. Attacks started on June 8, just after the release of security updates, using publicly available exploit code. Known for exploiting widely impactful vulnerabilities, TellYouThePass has previously used Apache ActiveMQ and Log4j vulnerabilities. The current attacks involve encrypting files and demanding a ransom of 0.1 BTC (~$6,700) for decryption.

What is CVE-2024-4577? 

The vulnerability stems from an oversight in the implementation of PHP. Specifically, the Best-Fit feature of encoding conversion within the Windows operating system. This allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by using specific character sequences. The result is that arbitrary code can be executed on remote PHP servers through an argument injection attack. 

The attack scenarios include configurations running PHP under CGI mode or exposing the PHP binary, such as in XAMPP installations that are vulnerable by default. 

The vulnerability has been proven as exploitable on Windows systems using Traditional Chinese, Simplified Chinese, and Japanese locales. While no known exploitation exists for other locales like English and Western European, comprehensive asset assessments and PHP updates are still recommended due to the possibility of future exploitation scenarios. 

Who is Affected? 

The following versions of PHP are impacted by this vulnerability: 

  • PHP 8.3 before version 8.3.8 

  • PHP 8.2 before version 8.2.20 

  • PHP 8.1 before version 8.1.29 

PHP 8.0, PHP 7, and PHP 5 are End-of-Life, which are no longer maintained, and are also assumed to be vulnerable. 

Wiz Research data: what’s the risk to cloud environments?      

According to Wiz data, 34% of cloud environments have Windows resources running vulnerable versions of PHP.  

What sort of exploitation has been identified in the wild?  

A proof-of-concept has been published and exploitation attempts have been observed by researchers.  

June 11 update:

TellYouThePass leverages the critical-severity CVE-2024-4577 bug to execute arbitrary PHP code on target systems. The gang uses the Windows mshta.exe binary to run a malicious HTML application (HTA) file containing VBScript with a base64-encoded string. This string decodes into a binary, loading a .NET variant of the ransomware into the host's memory. The ransomware then sends an HTTP request disguised as a CSS resource request to a command-and-control server and encrypts files on the infected machine. A ransom note, "READ_ME10.html," is left on the system with instructions for the victim on how to restore their files. Reports indicate that these attacks have impacted multiple websites since they began.

Which actions should security teams take? 

Upgrade to the latest PHP versions (8.3.88.2.208.1.29). PHP 8.0, PHP 7, and PHP 5 are End-of-Life, and are no longer maintained. It is recommended to upgrade to a newer branch or use the temporary recommendations listed below. 

For those unable to upgrade, apply the provided Rewrite Rules to block attacks. Note that these rules are only a temporary mitigation for Traditional Chinese, Simplified Chinese, and Japanese locales. It is still recommended to update to a patched version or migrate the architecture in practice. 

Rewrite rules: 

RewriteEngine On 
RewriteCond %{QUERY_STRING} ^%ad [NC] 
RewriteRule .? - [F,L] 

XAMPP users should disable the PHP CGI feature if not needed by commenting out the relevant lines in the Apache HTTP Server configuration:

# ScriptAlias /php-cgi/ “C:/xampp/php/” 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

References 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management