Vulnerability in PHP's critical security feature is under attack, research reveals that exploitation is straightforward
A critical argument injection vulnerability, identified as CVE-2024-4577, has been discovered in PHP, affecting all versions installed on the Windows operating system. The vulnerability, first uncovered by Devcore during offensive research, is linked to an older flaw, CVE-2012-1823, where attackers were able to bypass previous protections.
The vulnerability has a CVSS score of 9.8, indicating a high severity. According to researchers at Censys, it could allow an attacker to take over an affected system. They have identified over 458,000 potentially vulnerable instances, mainly in the U.S. and Germany.
Researchers at Shadowserver have reported multiple IPs testing the vulnerability against its honeypot sensors. The vulnerability is classified as critical due to the widespread use of PHP in the web ecosystem.
To mitigate the risk, it is recommended to take the following steps:
- Apply Official PHP Updates Immediately: Upgrade to the latest patched PHP version provided by the official PHP development team. Staying on unsupported or outdated PHP versions increases exposure to remote code execution (RCE) attacks.
- Virtual Patching / Web Application Firewall (WAF) Integration: While applying official patches, use virtual patches via Web Application and API Protection (WAAP) or WAF solutions that can block exploit attempts targeting this vulnerability. Virtual patches have been shown to block over 60% of web attacks and can significantly reduce patching time.
- Harden Your PHP-CGI Configuration: Since CVE-2024-4577 exploits argument injection in PHP-CGI on Windows, securely configuring PHP-CGI by disabling potentially unsafe settings, restricting executable paths, and limiting CGI usage can reduce the attack surface.
- Monitor Threat Intelligence Sources: Stay updated with threat intelligence feeds to detect early exploitation attempts or emerging attack campaigns.
- Network-Level Protections: Use network content inspection and intrusion detection/prevention systems to identify and block malicious requests exploiting PHP obfuscation or known attack signatures related to this CVE.
In summary, the best defense is to promptly upgrade PHP to versions patched against CVE-2024-4577, supplement with virtual patching/WAF, harden PHP-CGI configurations on Windows, and monitor for active exploitation tactics using threat intelligence and network protections. It is crucial to act swiftly to protect your systems from potential attacks.
- The high vulnerability of PHP systems, as demonstrated by the critical argument injection vulnerability CVE-2024-4577, coupled with the prevalence of ransomware attacks, underscores the importance of robust cybersecurity measures, particularly in the face of emerging threats like ransomware.
- In the tech-driven world, where cybersecurity breaches can have devastating consequences, it is essential to implement comprehensive security strategies, encompassing immediate PHP updates, virtual patching, hardened configurations, threat intelligence, and network protections, to safeguard systems from ransomware and other cybersecurity threats.
