The recently published and fixed critical PHP bug with the CVE identifier CVE-2024-4577 is being actively exploited. CISA is warning about this by adding it to its database of “known exploited vulnerabilities” (KEV). Admins of Windows servers with PHP should patch it as soon as possible.
Advertisement
As usual, the note on the overview page of the KEV database is not very detailed, but confirms that it is being exploited in ransomware campaigns. A warning from the security company Imperva provides some details: The Windows ransomware is apparently called “TellYouThePass” and is executed using the PHP exploit and an HTA file. The attackers use the PHP function “system()” in conjunction with the Windows tool “mshta”. Once the ransomware has successfully embedded itself, it encrypts files and stores contact information in a readme file.
Code page tricks lead to code execution
The gap in PHP is not new, but merely a variation of a twelve-year-old programming error that was listed as CVE-2012-1823 at the time and that the developers of the scripting language were unable to fully repair. Using clever coding tricks, attackers can execute their own code on vulnerable systems.
In the meantime, example exploits for the current vulnerability, along with automated attacks, are circulating on the Internet. Admins should therefore patch as soon as possible – PHP versions 8.1.29, 8.2.20 or 8.3.8 are considered to be fixed. In addition, the Security researchers from Devcore Tips for risk assessment and temporary protection.
(cku)