Who discovered and reported the CVE-2024-4577 vulnerability?

The vulnerability was discovered by Devcore and reported to the PHP developers.

Which versions of PHP are affected by CVE-2024-4577?

All versions of PHP on Windows since version 5.x are affected by CVE-2024-4577.

Which versions of PHP have patches available for CVE-2024-4577?

Patches for CVE-2024-4577 have been released in PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.

What systems are at risk due to CVE-2024-4577?

Systems running PHP in CGI mode or having PHP executables accessible by the web server are at risk. This includes the XAMPP development environment on Windows.

What remediation and mitigation strategies are recommended for CVE-2024-4577?

Recommended strategies include: 1. Updating PHP: Upgrade to PHP 8.3.8, PHP 8.2.20, or PHP 8.1.29. 2. Applying Mitigations: For systems that cannot be immediately upgraded, a mod_rewrite rule can be applied to block attacks: ``` RewriteEngine On RewriteCond %{QUERY_STRING} ^%ad [NC] RewriteRule .? – [F,L] ``` 3. Disabling PHP CGI: XAMPP users who do not require the PHP CGI feature should comment out the 'ScriptAlias' directive in the Apache configuration file (httpd-xampp.conf). 4. Checking Server Configuration: Use the phpinfo() function to check the 'Server API' value and determine if PHP-CGI is in use. 5. Migrating to Secure Alternatives: Consider moving from CGI to more secure alternatives such as FastCGI, PHP-FPM, or Mod-PHP.

Advisory

PHP fixes critical vulnerability impacting all Windows PHP versions

Q: What is CVE-2024-4577?

CVE-2024-4577 is a critical remote code execution (RCE) vulnerability affecting all versions of PHP on Windows since version 5.x. It arises from an oversight in handling character encoding conversions, specifically the 'Best-Fit' feature on Windows when PHP is used in CGI mode. This allows unauthenticated attackers to execute arbitrary code on remote PHP servers through an argument injection attack.

Q: Are there reports of attackers scanning for vulnerable systems?

Yes, attackers and researchers have already begun scanning for vulnerable systems, as noted by The Shadowserver Foundation.

published: June 7, 2024

Take action: If you are using PHP on any of your systems, it's time to act. Update the version of PHP or start implementing mitigation rules. Because hackers are already looking for your vulnerable PHP server.

Learn More

PHP has addressed a critical remote code execution (RCE) vulnerability affecting all versions of PHP on Windows since version 5.x.

The flaw, tracked as CVE-2024-4577 (CVSS score 9.8), was discovered by Devcore, and reported to the PHP developers. The vulnerability arises from an oversight in handling character encoding conversions, specifically the 'Best-Fit' feature on Windows when PHP is used in CGI mode. This oversight allows unauthenticated attackers to execute arbitrary code on remote PHP servers through an argument injection attack, circumventing protections put in place for CVE-2012-1823.

The PHP project maintainers released patches on June 6, 2024, for supported versions, addressing this vulnerability in

PHP 8.3.8,
PHP 8.2.20,
PHP 8.1.29.

Due to the widespread deployment of PHP and general resistance of changes many systems may remain vulnerable if not promptly updated.

The CVE-2024-4577 flaw impacts not only PHP installations but also the XAMPP development environment on Windows. Systems running PHP in CGI mode or having PHP executables accessible by the web server are at risk.

Remediation amd mitigation strategies include

Updating PHP: Users should upgrade to PHP 8.3.8, PHP 8.2.20, or PHP 8.1.29, which incorporate the necessary patches.
Applying Mitigations: For systems that cannot be immediately upgraded, a mod_rewrite rule can be applied to block attacks:

RewriteEngine On

RewriteCond %{QUERY_STRING} ^%ad [NC]

RewriteRule .? – [F,L]

Disabling PHP CGI: XAMPP users who do not require the PHP CGI feature should comment out the 'ScriptAlias' directive in the Apache configuration file (httpd-xampp.conf).
Checking Server Configuration: Administrators can use the phpinfo() function to check the 'Server API' value and determine if PHP-CGI is in use.
Migrating to Secure Alternatives: Consider moving from CGI to more secure alternatives such as FastCGI, PHP-FPM, or Mod-PHP.

Attackers and researchers have already begun scanning for vulnerable systems, as noted by The Shadowserver Foundation.

Update - The notorious TellYouThePass ransomware gang exploits the remote code execution (RCE) vulnerability in PHP to compromise servers and deploy their malicious payloads. Time to patch NOW.

PHP fixes critical vulnerability impacting all Windows PHP versions

Read More
Adobe releases February 2025 patches for multiple products
Multiple flaws found in AI systems, at least …
Broken cryptography example - MalCare, Blogvault, and WPRemote …
Ivanti patches another two critical issues its Avalanche …
Version of Mirai botnet exploits vulnerability in Mitel …