Critical PHP CGI Remote Code Execution Vulnerability (CVE-2024-4577) Exploited Actively

Listen to this Post

For the last 7 days, my cybersecurity news feed has been full of ‘alerts’ driven by ‘mass exploitation warnings’ from Threat Intel vendors that CVE-2024-4577, a critical PHP CGI Remote Code Execution vulnerability, is under active exploitation!

Spoiler alert: it has been actively exploited for almost a year now (since June 2024, when watchTowr was first to release the analysis we used to protect our client base).

You Should Know:

1. Understanding CVE-2024-4577:

CVE-2024-4577 is a critical vulnerability in PHP CGI that allows remote attackers to execute arbitrary code on affected systems. This vulnerability is particularly dangerous because it can be exploited without authentication, making it a prime target for attackers.

2. Affected Systems:

  • PHP versions prior to 8.1.20, 8.2.7, and 8.3.0 are vulnerable.
  • Systems running PHP in CGI mode are at the highest risk.

3. Mitigation Steps:

  • Update PHP: Ensure that your PHP installation is updated to the latest version (8.1.20, 8.2.7, or 8.3.0).
    sudo apt-get update
    sudo apt-get install php8.3
    
  • Disable PHP CGI Mode: If possible, switch to a more secure PHP handler like `mod_php` or php-fpm.
    sudo a2dismod php-cgi
    sudo systemctl restart apache2
    
  • Apply Web Server Configuration Changes: Modify your web server configuration to restrict access to PHP CGI scripts.
    <FilesMatch "\.php$">
    SetHandler None
    </FilesMatch>
    

4. Detection and Monitoring:

  • Use intrusion detection systems (IDS) to monitor for suspicious activity related to PHP CGI exploitation.
    sudo apt-get install snort
    sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
    
  • Regularly review server logs for unusual PHP CGI requests.
    sudo tail -f /var/log/apache2/access.log | grep "php-cgi"
    

5. Exploitation Example:

Attackers can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server.
[http]
GET /index.php?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1
Host: vulnerable-server.com
Content-Length: 23


[/http]

6. Patching and Verification:

After applying patches, verify that the vulnerability is mitigated by testing your server with a safe exploit simulation.

curl -I http://your-server.com/index.php?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input

What Undercode Say:

CVE-2024-4577 is a stark reminder of the importance of timely updates and proactive security measures. Regularly updating software, monitoring for vulnerabilities, and applying secure configurations are critical to defending against such exploits. Linux and Windows administrators should prioritize patching and hardening their systems to prevent remote code execution attacks. For further reading, refer to the PHP Security Advisory and CVE Details.

Additional Commands for System Hardening:

  • Linux:
    sudo ufw enable
    sudo ufw allow http
    sudo ufw allow https
    sudo ufw deny 22
    
  • Windows:
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
    New-NetFirewallRule -DisplayName "Block PHP CGI" -Direction Inbound -Action Block -Protocol TCP -LocalPort 80,443
    

Stay vigilant and keep your systems secure!

References:

Reported By: Benjamin Harris – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image