VTA-004485 – New PHP Flaw Puts Windows Servers at Risk of Remote Code Execution

There is a new critical security flaw in PHP, known as CVE-2024-4577, which allows remote code execution on Windows servers. The attack works by exploiting a CGI argument injection vulnerability in PHP. The flaw bypasses previous security fixes using special character sequences. This allow attackers to execute arbitrary code on remote servers through this argument injection attack. A fix was released on June 6, 2024, for PHP versions 8.3.8, 8.2.20, and 8.1.29.
Security researcher Orange Tsai explained that a Windows feature lets attackers bypass the old fix for CVE-2012-1823. Researchers warn that XAMPP installations on Windows are vulnerable, especially with Traditional Chinese, Simplified Chinese, or Japanese locales, and they recommend switching to more secure options like Mod-PHP, FastCGI, or PHP-FPM.
The Shadowserver Foundation had detected attempts to exploit the flaw within 24 hours of its disclosure. Researchers confirmed the vulnerability could be exploited and urged users to update quickly due to its simplicity and high risk.

 

Severity:
High

Attack Surface:
Server OS

Tactics:

Command and Control, Execution

Techniques:

T1569 – System Services
T1659 – Content Injection
T1219 – Remote Access Software

Indicator of Compromise:
https://otx.alienvault.com/pulse/666738ab114e0256ccaab12b

References:
1. https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/

SuperPRO’s Threat Countermeasures Procedures: 
1. Apply the latest patches
2. Move away from PHP CGI and opt for more secure solution such as Mod-PHP, FastCGI, or PHP-FPM
3. Act quickly to apply patches due to the high chance of mass exploitation.

Contributed by: Eddy Leong