CVE-2024-4577 could be exploited in all variations of PHP for Home windows and result in the execution of malicious code
A crucial vulnerability in PHP has lately been printed that may result in distant command injection. The vulnerability could be exploited in all variations of PHP for Home windows specifically in Conventional Chinese language, Simplified Chinese language and Japanese language configurations, even in default installations utilizing XAMPP. There are at present a number of PoCs with public exploits that reveal the vulnerability.
The vulnerability, whose identifier is CVE-2024-4577, has a CVSS v3 rating of 9.8 in line with NIST and is predicated on the CGI engine not escaping the comfortable hyphen (0xAD), which PHP receives and applies a “best fit” mapping, because it thinks we wish to put an actual hyphen in place of it, thus permitting an attacker to add further arguments to take advantage of the vulnerability.
PHP is a programming language primarily used for growing dynamic internet pages and internet functions. It runs on the server and integrates simply with HTML and databases like MySQL. Resulting from its simplicity and in depth documentation, PHP could be very in style amongst builders, permitting them to create strong web sites and internet functions effectively.
The vulnerability CVE-2024-4577 applies to the next PHP variations:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Older variations, that are now not supported resembling PHP 8, PHP 7 and PHP 5 are additionally susceptible.
Essential options
The primary traits of this vulnerability are detailed under:
- CVE Identifier: CVE-2024-4577
- Launch date: 09/06/2024
- Affected software program: PHP
- CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
- Affected variations
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
- PHP 8
- PHP 7
- PHP 5
- Exploitation Necessities
- PHP software program have to be configured in CGI mode.
- Exploitation is feasible if php.exe or php-cgi.exe binaries are uncovered (all default installations in XAMPP for Home windows).
- Working system have to be Home windows.
Mitigation of CVE-2024-4577
The primary resolution is to urgently replace the PHP software program to one of many new patched variations that repair this vulnerability:
A short-term mitigation could be to rewrite the next rule, however it is just appropriate for Conventional Chinese language, Simplified Chinese language and Japanese installations:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%advert [NC]
RewriteRule .? - [F,L]
For default installations of XAMPP on Home windows chances are you'll select to remark out the next line in the httpd-xampp.conf file:
# ScriptAlias /php-cgi/ "C:/xampp/php/"
Lastly, it's advisable to consider the migration to safer architectures resembling Mod-PHP, FastCGI or PHP-FPM.
Vulnerability detection
The presence of the vulnerability could be recognized by model quantity or by the use of scripts or Nuclei templates.
It is suggested to use the patch urgently, as malicious actors are using the TellYouThePass ransomware to actively exploit it.
As a part of its rising vulnerabilities service, Tarlogic proactively displays the perimeter of its purchasers to report, detect, and urgently notify of the presence of this vulnerability, in addition to different crucial threats that would have a severe affect on the safety of their property.
