Advisory

June 10, 2024: PHP-CGI Argument Injection Vulnerability Could Lead to Remote Code Execution

June 10, 2024

Tags:

Rapid Response

Issue Name and Description: PHP-CGI Argument Injection Vulnerability. This is a critical argument injection vulnerability in PHP that can be exploited to achieve remote code execution (RCE) on affected systems.
Date Published: June 6th, 2024
CVE-ID and CVSS Score: CVE-2024-4577, CVSS Score: 9.8 (Critical)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command
Asset Description: The vulnerability affects PHP installations running on Windows operating systems with PHP running in CGI mode or exposing the PHP binary in the following versions:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Vulnerability Impact: A successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the vulnerable PHP server, leading to complete system compromise.
Exploitation Details: The vulnerability is a result of errors in character encoding conversions, specifically affecting the “Best Fit” feature on Windows. It allows an attacker to bypass previous protections like CVE-2012-1823 through specific character sequences, enabling argument injection attacks. This issue is currently not in CISA KEV, although ShadowServer has observed exploitation attempts on its sensors (https://infosec.exchange/@shadowserver/112575314920464732).
Patch Availability: Patched versions 8.3.8, 8.2.20, and 8.1.29 were released by PHP on June 6, 2024 to address this vulnerability: https://www.php.net/ . Upgrading to these versions is the recommended solution. For systems that cannot be immediately upgraded, temporary mitigation measures like modifying Apache rewrite rules or disabling the PHP-CGI feature are provided.
Global Footprint: Censys observes about 458,800 exposures of potentially vulnerable PHP instances as of June 9, 2024 — although note that this is likely an overestimate of the true impact of this vulnerability, given that we cannot detect when CGI mode is enabled. Most of these exposures are geolocated in the United States, followed by Germany.

Map of Censys-Visible Potentially Vulnerable PHP Instances on June 9, 2024 — Note that this does not account for whether or not CGI is enabled (created with kepler.gl)

Detection with Censys: The following queries can be leveraged to identify all Censys-visible public-facing PHP instances. Please note we cannot detect if PHP is in CGI mode.
- Search Exposure Query for all Censys-visible public-facing PHP instances running potentially vulnerable versions on Windows: services.software: (product: PHP and (version: [8.3.0 to 8.3.7] or version: [8.2.0 to 8.2.19] or version: [8.1.0 to 8.1.28] or version: [8.0.0 to 8.1.0] or version: [7.0.0 to 8.0.0] or version: [5.0.0 to 6.0.0])) and operating_system.product: Windows
- ASM Exposure Query for all Censys-visible public-facing PHP instances running potentially vulnerable versions on Windows: host.services.software: (product: PHP and (version: [8.3.0 to 8.3.7] or version: [8.2.0 to 8.2.19] or version: [8.1.0 to 8.1.28] or version: [8.0.0 to 8.1.0] or version: [7.0.0 to 8.0.0] or version: [5.0.0 to 6.0.0])) and host.operating_system.product: Windows
References:

Back to Resources Hub

Products

Use Cases

Industries

Resources

Company

June 10, 2024: PHP-CGI Argument Injection Vulnerability Could Lead to Remote Code Execution

June 10, 2024: PHP-CGI Argument Injection Vulnerability Could Lead to Remote Code Execution

Share