Security Alert PHP CVE-2024-4577: Stormshield’s product response

Published on: 11 06 2024 | Modified on: 12 06 2024

Author: Stormshield Customer Security Lab

2 minutes

A critical vulnerability impacting the PHP-CGI service, identified by the references CVE-2024-4577, has been published. It has been assigned a respective CVSS 3.1 score of 9.8. It must be noted that there are multiple proofs of concept easily available online and many exploitations have already been reported.

This CVE-2024-4577 vulnerability exists since 2012 and was inserted during the CVE-2012-1823 fix.

 

Technical details of PHP-CGI vulnerability

The CVE-2024-4577 allows an attacker to remotely execute malicious commands on Windows servers that are hosting a PHP system, through the PHP-CGI script engine. It can be exploited even if PHP is not configured in CGI mode. The PHP-CGI module is embedded in IIS web servers and XAMPP serveurs.

The impacted versions are:

  • 1.x before 8.1.29,
  • 2.x before 8.2.20,
  • 3.x before 8.3.8,
  • x to 8.0.x (outdated versions).

This vulnerability can be exploited by inserting a “Soft-Hyphen” character inside an URL. It is converted automatically as a hyphen by the Windows “Best-fit” mapping. It allows to bypass sanitizations done by PHP and makes it run some code through the “php.exe” executable.

By now, only Windows servers with japanese and chinese (simplified and traditional) are confirmed to be vulnerable. Otherwise, the result is still unknown. But global exploit attempts have already been reported.

 

Attack modelling with MITRE ATT&CK

MITRE ATT&CK

  • T1190 (Exploit Public-Facing Application)

IoC

The attack can be detected by looking for a « Soft-Hyphen » character (%AD encoded) inside a HTTP request URL. For exemple :

  • https://example.com/test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input

 

PHP-CGI vulnerability: Stormshield Network Security protections

Protection to face CVE-2024-4577

Firewall Stormshield Network Security (SNS) detect and block any CVE-2024-4577 exploit attempts by using its IPS HTTP protocol inspection. This requires the SSL trafic to be decrypted.

  • http:82 : Bad UTF-8 encoding in URL

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations regarding the PHP-CGI vulnerability

It is strongly recommended to update PHP (or its affiliated services) to the following versions:

  • 8.1.29
  • 8.2.20
  • 8.3.8

The original advisory can be found here: openwall.com/lists/oss-security/2024/06/07/1

Tags :

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.
About the author
mm
Stormshield Customer Security Lab
Last articles

See all articles from Alert

Read more