Aperçu
PHP CGI versions prior to 8.2.0 contain a critical argument injection vulnerability in the CGI SAPI (Server API) that allows remote attackers to execute arbitrary commands through specially crafted HTTP requests. The vulnerability stems from improper handling of user-supplied input when parsing command-line arguments, enabling attackers to inject arbitrary PHP arguments and achieve remote code execution without authentication. La vulnérabilité a été divulguée le June 9, 2024. CISA a identifié CVE-2024-4577 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability exists in the PHP CGI SAPI's handling of the QUERY_STRING parameter. When PHP CGI processes HTTP requests, it fails to properly sanitize the QUERY_STRING before passing it to the PHP interpreter as command-line arguments. An attacker can craft a malicious query string containing PHP command-line options (such as -d, -c, or -r) that get executed as if they were legitimate PHP arguments, allowing arbitrary code execution. The attack vector involves manipulating URL parameters to inject PHP runtime directives or code.
La vulnérabilité est classifiée comme CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) etCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated remote attacker can execute arbitrary PHP code and system commands with the privileges of the web server process. This allows attackers to: read sensitive files, modify or delete data, establish reverse shells, deploy malware, pivot to internal systems, exfiltrate credentials, and completely compromise the web server and potentially the underlying infrastructure.
Mitigation et contournements
Update PHP to one of the fixed versions: 1) For PHP 8.1: upgrade to 8.1.29 or later, 2) For PHP 8.0: upgrade to 8.0.30 or later, 3) For PHP 7.4: upgrade to 7.4.33 or later, 4) For PHP 8.2+: ensure you are on the latest version. Follow your distribution's package management system or download from php.net. After updating, restart the web server to apply changes. Les versions suivantes incluent les correctifs nécessaires : PHP 8.2.0 and later, PHP 8.1.29 and later, PHP 8.0.30 and later, PHP 7.4.33 and later.
Comme contournements temporaires : disable php cgi sapi: if possible, switch from cgi to php-fpm (fastcgi process manager) or php as an apache module. these alternatives do not have the same vulnerability.; implement input validation and filtering: use a web application firewall (waf) to detect and block requests containing php-specific argument injection patterns (e.g., requests containing '-d', '-c', '-r' in query strings). block requests with suspicious characters in query_string.; restrict direct access to php cgi scripts: configure the web server to prevent direct execution of php cgi scripts. only allow execution through an index file or routing layer with proper input validation., et run php with minimal privileges: configure the php cgi process to run under a restricted user account with minimal filesystem and system permissions. this limits the impact of exploitation..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
