Nynox advisory - Threat alert -

PHP CGI

– Date: 6th of June –

📢 Threat Alert – PHP CGI – Security researchers found a critical PHP remote code execution vulnerability in Window servers. Please patch your PHP a.s.a.p. and if that’s not possible read the mitigations down below!

What’s going on?

⚠️ An unauthenticated attacker can execute arbitrary code on remote PHP servers through an argument injection attack.

⚠️ Some locales (Traditional & Simplified Chinese, Japanse) are confirmed vulnerable. However others could be vulnerable as well.

⚠️ When configuring the Action directive to map corresponding HTTP requests to a PHP-CGI executable binary in Apache HTTP Server, this vulnerability can be exploited directly.

⚠️ Even if PHP is not configured under the CGI mode, merely exposing the PHP executable binary in the CGI directory is affected by this vulnerability, too.

⚠️ The vulnerable versions are:

  • PHP 8.3 < 8.3.8
  • PHP 8.2 < 8.2.20
  • PHP 8.1 < 8.1.29

Other PHP versions are End-of-Life and are no longer maintained.

WHY IS THIS a PROBLEM?

❗It gives anyone power over your website infrastructure which could result in attackers taking over your devices.

❗The main challenge of this vulnerability is that you may be using PHP without knowing.
Your website provider may be using PHP.
You have a website that uses PHP (WordPress, for example).
Some applications may be using PHP to provide their services.

❗XAMPP is vulnerable by default

How does Nynox protect its customers?

🛡️ Free threat hunting based on the indicators for this attack

🛡️ Personalized assistance to mitigate the risk

🛡️ 24×7 Incident Response (CSIRT)

🛡️ 24×7 monitoring of customer environments

WHAT CAN YOU DO TO MITIGATE THE RISK?

✅ Patch to the latest available version.

  • 8.3.8,
  • 8.2.20
  • 8.1.29.
But what if you can’t?

✅ If PHP CGI is a not needed feature, you modify the Apache HTTP Server configuration:
C:/xampp/apache/conf/extra/httpd-xampp.conf
Comment out the following line with a # like below:
# ScriptAlias /php-cgi/ “C:/xampp/php/”


✅ If it’s a needed feature, the following Rewrite Rules can be used to temporarily block attacks.
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]

But what if yOu can’t? 

Remove all USB controllers from the Virtual Machine, disabling USB passthrough functionality, and rendering virtual USB devices inaccessible.

Default keyboard and mouse input devices remain unaffected because they operate independently of the USB protocol.

 
In need of assistent? We're here for you!
Get in contact
Our Latest insights