overview
The PHP Group has patched a significant vulnerability affecting all versions of PHP on Windows systems, tracked as CVE-2024-4577 (CVSS 9.8). This flaw allows attackers to execute arbitrary code – making systems using the PHP language at risk, especially those running the XAMPP development environment.
The vulnerability stems from an argument injection bug resulting from an incomplete fix for a previous issue found in 2012 (CVE-2012-1823). While implementing PHP, the development team overlooked the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass prior protections by using specific character sequences. As a result, they can execute arbitrary code on remote PHP servers through argument injection attacks.
Researchers from Devcore, who discovered the vulnerability, highlighted its ease of exploitation. Attackers can exploit vulnerable PHP installations running in CGI mode by mapping HTTP requests to a PHP-CGI executable in the Apache HTTP Server, a common configuration that increases the attack surface.
The flaw also affects systems where the PHP binary is exposed in the CGI directory, the default mode for XAMPP. XAMPP has not yet released an update, leaving many environments at risk. Currently, the flaw is being abused in multiple malware campaigns, including those involving Gh0st RAT, RedTail Cryptominer, Muhstik malware, and XMRig.
Please be advised that CVE-2024-4577 is being exploited by attackers and multiple exploit attempts have been detected within 24 hours of disclosure. This vulnerability impacts all versions of PHP on Windows and should be patched IMMEDIATELY.
avertium's recommendationS
- Updated versions of PHP 8.3, 8.2, and 8.1 were released on June 6, please find their fixes in their ChangeLog. See Devcore’s analysis for further details.
- Organizations using manual mode should configure the Command Injection Attack group or specific relevant rules to "Deny" mode.
- Since PHP 8.0, PHP 7, and PHP 5 are now End-of-Life and no longer receive maintenance, server administrators can consult the "Am I Vulnerable" section for temporary patch recommendations found in the "Mitigation Measure" section.
how avertium is protecting our customers
IOCs ADDED TO OUR THREAT FEEDS
We have not discovered any IoC’s specifically related to exploitation of CVE-2024-4577 however, we are aware of 4 malware campaigns that have actively exploited this vulnerability: Gh0stRat, RedTail Cryptominer, XMRig, and Mustik. Avertium is monitoring for over 10,000 individual IoC’s related to these campaigns.
NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager.
TTPs TO MONITOR
- Initial Access (Tactic ID: TA0001)
- Exploitation of Vulnerability (ID: T1190): Exploiting software vulnerabilities, including those that enable RCE, to gain initial access to a system.
- Execution (Tactic ID: TA0002)
- Command and Scripting Interpreter (ID: T1059): Using interpreters like PowerShell, scripting languages, or command-line interfaces to execute code on the target system.
- PowerShell (ID: T1059.001): Exploiting RCE to execute PowerShell commands.
- Windows Command Shell (ID: T1059.003): Running arbitrary commands via the Windows command shell.
- Python (ID: T1059.006): Using Python scripts to perform malicious actions.
- Exploitation for Client Execution (ID: T1203): Executing code via vulnerabilities in client applications.
- 3. Exfiltration (Tactic ID: TA0010)
- Exfiltration Over C2 Channel (ID: T1041): Using command and control (C2) channels to exfiltrate data from the target system.
ADDITIONAL SERVICE OFFERINGS
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
- Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
- Risk Assessments
- Pen Testing and Social Engineering
- Infrastructure Architecture and Integration
- Zero Trust Network Architecture
- Vulnerability Management
If you have any questions on these findings or prefer to no longer be notified about this issue, please contact the Cyber Fusion Center by replying to this message, sending an email to cfc@avertium.com, or by calling 1-877-707-7997 (option 1).
SUPPORTING DOCUMENTATION