Dive Brief:
- Devcore researchers are warning that a critical argument injection vulnerability in PHP could be exploited to achieve remote code execution. The vulnerability affects all versions of PHP installed on the Windows operating system, researchers said last week.
- The vulnerability, listed as CVE-2024-4577, has a CVSS score of 9.8 and could allow an attacker to take over an affected system, according to researchers at Censys.
- Censys identified more than 458,000 potentially vulnerable instances, mainly in the U.S. and Germany, though the figures may overestimate the potential impact. Researchers at Shadowserver reported multiple IPs testing the vulnerability against its honeypot sensors.
Dive Insight:
Devcore originally discovered the vulnerability while conducting offensive research. They classified the flaw as critical due to the widespread use of PHP in the web ecosystem.
The vulnerability is the result of errors in character encoding conversions, which affect the “best fit” feature in Windows, according to Censys. The vulnerability is linked to an older flaw, CVE-2012-1823, where attackers were able to bypass previous protections, Devcore found.
“The potential threat for CVE-2024-4577 is that a remote unauthenticated attacker can execute arbitrary PHP code on a vulnerable web server exposed to the internet, and in doing so execute arbitrary code on the target system,” Stephen Fewer, principal security researcher at Rapid7, said via email.
Fewer cautioned that multiple conditions must be met for a server to be vulnerable to attack.
- A web server must be running on Windows, as the root cause involves how Windows converts certain string characters, depending on locale setting. Therefore a web server running on Linux would not be impacted.
- The web server must also be running a vulnerable version of the PHP scripting engine, before the security updates were issued last week.
- PHP scripting must be exposed by the web server via the CGI mechanism.
- The Windows operating system of the web server needs to have its system locale set to use a code page that performs a specific string character conversion related to the dash character. Japanese and Chinese pages meet this requirement by default, but other languages are also vulnerable.
Researchers at WatchTowr echoed advice to upgrade to the most recent installations, in a blog post. WatchTowr said that those running versions in Chinese and Japanese languages need to immediately upgrade, as the low complexity of the bug makes it very easy to exploit. Those running versions in other languages, including English, should also take mitigation steps as the risk still remains.
Researchers at Imperva reported seeing thousands of attacks against financial services, healthcare and other targets in the U.S. and Brazil. Researchers on Monday warned the vulnerability is being leveraged to deliver ransomware.
