A vulnerability known as CVE-2024-4577 is exploiting Apache’s handling of Unicode to ASCII conversion when using Hypertext Preprocessor (PHP) Common Gateway Interface (CGI) mode. This enables the execution of malicious code within the PHP executable. This presents a significant risk of remote code execution by malicious actors targeting vulnerable servers. Review this Cybersecurity Threat Advisory in full to ensure your systems are secure.
What is the threat?
CVE-2024-4577 can be exploited to allow remote code execution on affected servers. PHP, a widely used open-source scripting language for web development, is processed on an HTTP server and interpreted by the CGI executable. An attacker crafts a specially formatted HTTP request that includes a “soft hyphen” to inject command-line arguments into a PHP executable on Apache. This technique bypasses Apache’s sanitization of hyphens, which is meant to prevent code injection. Even without CGI mode, the vulnerability can still be exploited due to the PHP executable being accessible in directories; this configuration is defaulted in XAMPP.
Why is it noteworthy?
CVE-2024-4577 has the potential to impact a wide range of web servers running PHP. Widely used web development environments like XAMPP for Windows are vulnerable by default.
What is the exposure or risk?
The exploitation of this vulnerability can lead to the execution of arbitrary code, allowing attackers to control the server, exposure of source code, leading to potential information leakage and further exploitation, and compromise of server integrity, possibly resulting in data breaches or service disruptions. Organizations using PHP on Windows Apache servers, especially those relying on PHP-CGI configurations, should prioritize patching their systems to prevent potential attacks.
What are the recommendations?
Barracuda MSP recommends the following actions to keep your systems secured against this vulnerability:
References
For more in-depth information about the recommendations, please visit the following links:
- https://nvd.nist.gov/vuln/detail/CVE-2024-4577
- https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/
- https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
- https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
- https://github.com/11whoami99/CVE-2024-4577
- https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv
- https://github.com/rapid7/metasploit-framework/pull/19247
- https://github.com/watchtowrlabs/CVE-2024-4577
- https://github.com/xcanwin/CVE-2024-4577-PHP-RCE
- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.