Understanding CVE-2024-4577

CVE-2024-4577 is a critical remote code execution (RCE) vulnerability identified in PHP, specifically affecting installations on Windows systems where PHP is used in CGI mode. This vulnerability arises from improper input validation, allowing attackers to execute arbitrary code on the server. It poses significant risks, including potential full system compromise.

Impact and Affected Versions

The vulnerability impacts all versions of PHP on Windows, but the most critically affected versions are:

  • PHP 8.3 (versions before 8.3.8)
  • PHP 8.2 (versions before 8.2.20)
  • PHP 8.1 (versions before 8.1.29)

Older versions of PHP (8.0, 7.x, 5.x) are also affected but are no longer supported.

Immediate Actions: Patching

Updating PHP on IIS

  1. Download Latest PHP Version: Visit the official PHP website to download the latest version.
  2. Stop IIS Services: Open Command Prompt as an administrator and run:iisreset /stop
  3. Backup Existing PHP: Backup your current PHP installation directory.
  4. Extract and Install: Extract the downloaded PHP package and replace the old PHP directory with the new one.
  5. Update PHP Configuration: Ensure the php.ini configuration file is updated accordingly, especially with new settings or deprecations.
  6. Restart IIS Services: Start the IIS services again by running:cmdCopy codeiisreset /start

Temporary Mitigation Measures

PHP Configuration Changes in php.ini

Update your php.ini file with the following settings to improve security:

  1. Disable Expose PHP: This prevents PHP from advertising its presence on the server. expose_php = Off
  2. Secure CGI Path Info: This ensures PHP correctly processes path information. cgi.fix_pathinfo = 1
  3. Disable Dangerous Functions: Disable functions that are often exploited.disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

URL Rewrite Module for IIS

Use URL Rewrite Module to block malicious queries. Here’s how to set it up:

  1. Install URL Rewrite Module: If not already installed, download and install the URL Rewrite Module for IIS from the Microsoft website.
  2. Open IIS Manager: Navigate to your site and open the “URL Rewrite” feature.
  3. Add Rule: Add a new blank rule and configure it as follows:
    • Name: Block Suspicious Queries
    • Match URL: Set Requested URL to Matches the Pattern and Using to Regular Expressions. Use the pattern .*.
    • Conditions: Add a condition with:
      • Condition Input: {QUERY_STRING}
      • Check if input string: Matches the Pattern
      • Pattern: .*%ad.* (or other specific patterns as needed)
    • Action: Set the action to Abort Request or Return Status Code as 403.

Example of web.config

Here’s an example of what your web.config file might look like to include the rewrite rules:

 
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Block Suspicious Queries" stopProcessing="true">
                    <match url=".*" />
                    <conditions>
                        <add input="{QUERY_STRING}" pattern=".*%ad.*" />
                    </conditions>
                    <action type="AbortRequest" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Long-Term Recommendations

Using PHP-FPM with IIS

PHP-FPM (FastCGI Process Manager) is recommended for improved security and performance over traditional CGI.

Setting Up PHP-FPM with IIS

  1. Install PHP-FPM: Download the latest PHP version with PHP-FPM from the official PHP website.
  2. Install FastCGI for IIS:
    • Open IIS Manager.
    • Click on “Server Manager” > “Add Roles and Features”.
    • In the “Add Roles and Features Wizard”, go to “Features” and select “CGI”.
    • Install the feature.
  3. Configure PHP-FPM:
    • Open the php.ini file and enable cgi.fix_pathinfo as :cgi.fix_pathinfo=1
    • Create a php-fpm.conf file in the PHP installation directory and configure PHP-FPM pools as needed.
  4. Configure IIS to Use PHP-FPM:
    • Open IIS Manager.
    • Select your server or site.
    • Click on “Handler Mappings” > “Add Module Mapping”.
    • Configure the mapping with:
      • Request path: *.php
      • Module: FastCgiModule
      • Executable: Path to php-cgi.exe
      • Name: PHP via FastCGI
    • Click “OK” and confirm to create a FastCGI process pool.
  5. Test Configuration: Create a phpinfo.php file in your web root with the following content: <?php phpinfo(); ?> Access this file in your browser to verify that PHP is running via FastCGI.

Additional Security Practices

  • Migrate to More Secure Architectures: Avoid using PHP in CGI mode. Consider using FastCGI with PHP-FPM for better security and performance.
  • Regular Updates: Ensure PHP and all related components are regularly updated.
  • Defense-in-Depth: Utilize a Web Application Firewall (WAF) and other security tools to provide additional layers of defense.
  • Security Best Practices: Follow security best practices, including least privilege principles, regular security audits, and staff training.

Conclusion

Mitigating CVE-2024-4577 on IIS-based servers requires immediate action through patching, implementing temporary measures if necessary, and adopting long-term security practices. By following the steps outlined, you can protect your PHP applications on IIS from potential exploitation.

For more detailed information and technical guidance, refer to sources such as SOCRadar, DEVCORE, and Imperva​ (SOCRadar® Cyber Intelligence Inc.)​​ (DEVCORE 戴夫寇爾)​​ (Cybersecurity News)​​ (Imperva)​.

Categorized in:

InfoSec, Vulnerability, Web, Windows Server,

Last Update: June 11, 2024

Tagged in:

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,