Full Report
Detect and mitigate CVE-2024-4577, a critical remote code execution vulnerability in PHP CGI. Organizations are advised to patch urgently.
Analysis Summary
# Vulnerability: Critical RCE in PHP CGI via Argument Injection (CVE-2024-4577)
## CVE Details
- CVE ID: CVE-2024-4577
- CVSS Score: (Implied Critical/High based on RCE and in-the-wild exploitation)
- CWE: (Not explicitly stated, related to Argument Injection/Improper Input Validation)
## Affected Systems
- Products: PHP CGI on Windows operating systems.
- Versions:
- PHP 8.3 before version `8.3.8`
- PHP 8.2 before version `8.2.20`
- PHP 8.1 before version `8.1.29`
- PHP 8.0, PHP 7, and PHP 5 (End-of-Life/unmaintained and assumed vulnerable)
- Configurations: Systems running PHP under CGI mode or exposing the PHP binary (e.g., default XAMPP installations). Exploitation confirmed on systems using Traditional Chinese, Simplified Chinese, and Japanese locales.
## Vulnerability Description
This critical vulnerability is a Remote Code Execution (RCE) flaw in PHP CGI on Windows systems. It stems from an oversight in the operating system's "Best-Fit" feature regarding encoding conversion. This allows unauthenticated attackers to bypass previous protections (like those for CVE-2012-1823) by using specific character sequences to perform argument injection, leading to the execution of arbitrary code on remote servers.
## Exploitation
- Status: Exploited in the wild (by TellYouThePass ransomware gang). PoC available.
- Complexity: Low (Publicly available exploit code has been used).
- Attack Vector: Network (Remote, Unauthenticated)
## Impact
- Confidentiality: High (Arbitrary code execution allows full system compromise)
- Integrity: High (Arbitrary code execution allows code modification and ransomware deployment)
- Availability: High (Ransomware deployment leads to system/data unavailability)
## Remediation
### Patches
Users must upgrade to the following versions or later:
- PHP `8.3.8`
- PHP `8.2.20`
- PHP `8.1.29`
### Workarounds
For systems unable to immediately upgrade (applies primarily to Traditional Chinese, Simplified Chinese, and Japanese locales):
1. **Disable PHP CGI:** XAMPP users should comment out the following line in the Apache HTTP Server configuration:
`# ScriptAlias /php-cgi/ “C:/xampp/php/”`
2. **Apply Rewrite Rules:** Apply provided Rewrite Rules (details not specified in the summary, but referenced as a temporary block for specific locales).
*Note: Migrating to a newer, maintained PHP branch is strongly recommended over relying on workarounds.*
## Detection
- **Indicators of Compromise (IOCs):** Look for telltale signs of TellYouThePass ransomware usage, including the presence of the ransom note file named "READ\_ME10.html," or obfuscated execution chains leveraging `mshta.exe` to execute malicious HTA/VBScript payloads leading to .NET ransomware loading in memory.
- **Detection Methods and Tools:** Wiz customers should utilize the pre-built query and advisory available in the Wiz Threat Center to locate vulnerable instances. General detection should focus on monitoring unusual process execution chains involving PHP interpreter interaction.
## References
- Vendor Advisories: Official PHP release announcements published on or after June 6, 2024.
- Relevant Links:
- def_hXXps://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
- def_hXXps://github.com/watchtowrlabs/CVE-2024-4577
- def_hXXps://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/
- def_hXXps://x.com/Shadowserver/status/1799053497490698548