Understanding CVE-2024-4577
CVE-2024-4577 is a critical remote code execution (RCE) vulnerability identified in PHP, specifically affecting installations on Windows systems where PHP is used in CGI mode. This vulnerability arises from improper input validation, allowing attackers to execute arbitrary code on the server. It poses significant risks, including potential full system compromise.
Impact and Affected Versions
The vulnerability impacts all versions of PHP on Windows, but the most critically affected versions are:
- PHP 8.3 (versions before 8.3.8)
- PHP 8.2 (versions before 8.2.20)
- PHP 8.1 (versions before 8.1.29)
Older versions of PHP (8.0, 7.x, 5.x) are also affected but are no longer supported.
Immediate Actions: Patching
Updating PHP on IIS
- Download Latest PHP Version: Visit the official PHP website to download the latest version.
- Stop IIS Services: Open Command Prompt as an administrator and run:
iisreset /stop
- Backup Existing PHP: Backup your current PHP installation directory.
- Extract and Install: Extract the downloaded PHP package and replace the old PHP directory with the new one.
- Update PHP Configuration: Ensure the
php.ini
configuration file is updated accordingly, especially with new settings or deprecations. - Restart IIS Services: Start the IIS services again by running:cmdCopy code
iisreset /start
Temporary Mitigation Measures
PHP Configuration Changes in php.ini
Update your php.ini
file with the following settings to improve security:
- Disable Expose PHP: This prevents PHP from advertising its presence on the server.
expose_php = Off
- Secure CGI Path Info: This ensures PHP correctly processes path information.
cgi.fix_pathinfo = 1
- Disable Dangerous Functions: Disable functions that are often exploited.
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
URL Rewrite Module for IIS
Use URL Rewrite Module to block malicious queries. Here’s how to set it up:
- Install URL Rewrite Module: If not already installed, download and install the URL Rewrite Module for IIS from the Microsoft website.
- Open IIS Manager: Navigate to your site and open the “URL Rewrite” feature.
- Add Rule: Add a new blank rule and configure it as follows:
- Name: Block Suspicious Queries
- Match URL: Set
Requested URL
toMatches the Pattern
andUsing
toRegular Expressions
. Use the pattern.*
. - Conditions: Add a condition with:
- Condition Input:
{QUERY_STRING}
- Check if input string:
Matches the Pattern
- Pattern:
.*%ad.*
(or other specific patterns as needed)
- Condition Input:
- Action: Set the action to
Abort Request
orReturn Status Code
as 403.
Example of web.config
Here’s an example of what your web.config
file might look like to include the rewrite rules:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Block Suspicious Queries" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{QUERY_STRING}" pattern=".*%ad.*" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Long-Term Recommendations
Using PHP-FPM with IIS
PHP-FPM (FastCGI Process Manager) is recommended for improved security and performance over traditional CGI.
Setting Up PHP-FPM with IIS
- Install PHP-FPM: Download the latest PHP version with PHP-FPM from the official PHP website.
- Install FastCGI for IIS:
- Open IIS Manager.
- Click on “Server Manager” > “Add Roles and Features”.
- In the “Add Roles and Features Wizard”, go to “Features” and select “CGI”.
- Install the feature.
- Configure PHP-FPM:
- Open the
php.ini
file and enablecgi.fix_pathinfo
as :cgi.fix_pathinfo=1
- Create a
php-fpm.conf
file in the PHP installation directory and configure PHP-FPM pools as needed.
- Open the
- Configure IIS to Use PHP-FPM:
- Open IIS Manager.
- Select your server or site.
- Click on “Handler Mappings” > “Add Module Mapping”.
- Configure the mapping with:
- Request path:
*.php
- Module:
FastCgiModule
- Executable: Path to
php-cgi.exe
- Name:
PHP via FastCGI
- Request path:
- Click “OK” and confirm to create a FastCGI process pool.
- Test Configuration: Create a
phpinfo.php
file in your web root with the following content:<?php phpinfo(); ?>
Access this file in your browser to verify that PHP is running via FastCGI.
Additional Security Practices
- Migrate to More Secure Architectures: Avoid using PHP in CGI mode. Consider using FastCGI with PHP-FPM for better security and performance.
- Regular Updates: Ensure PHP and all related components are regularly updated.
- Defense-in-Depth: Utilize a Web Application Firewall (WAF) and other security tools to provide additional layers of defense.
- Security Best Practices: Follow security best practices, including least privilege principles, regular security audits, and staff training.
Conclusion
Mitigating CVE-2024-4577 on IIS-based servers requires immediate action through patching, implementing temporary measures if necessary, and adopting long-term security practices. By following the steps outlined, you can protect your PHP applications on IIS from potential exploitation.
For more detailed information and technical guidance, refer to sources such as SOCRadar, DEVCORE, and Imperva (SOCRadar® Cyber Intelligence Inc.) (DEVCORE 戴夫寇爾) (Cybersecurity News) (Imperva).