PHP | Alexander V. Leonov

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

The Remote Code Execution vulnerability – PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks. I already had a post about this vulnerability earlier. Now Imperva Threat Research reports that this vulnerability is being used by attackers to deliver malware identified as a component of the TellYouThePass ransomware.

⏳ The attacks were noticed on June 8, less than 48 hours after the PHP developers released a patch. The attacks used an exploit that by that time was already publicly available.

TellYouThePass attacks have been reported since 2019. They target enterprises and individuals. Attackers encrypt both Windows and Linux infrastructure.

What conclusions can be drawn? If you see a vulnerability with a public exploit and a more or less clear vector of exploitation, don’t be lazy to patch it as quickly as possible. Because attackers will definitely not be too lazy to add this exploit to their malware. 😉

На русском

Critical Remote Code Execution – PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit. CVSS 9.8. On June 6, PHP developers released an update to fix an RCE vulnerability which exists due to incorrect work with the Best-Fit encoding conversion function in the Windows operating system. An unauthenticated attacker performing an argument injection attack can bypass protection against the old actively exploited RCE vulnerability CVE-2012-1823 using certain character sequences and thus execute arbitrary code. Exploits for the vulnerability are already available on GitHub. The Shadowserver Foundation has noticed active scans aimed at detecting vulnerable hosts. 👾

The vulnerability affects all versions of PHP installed on the Windows operating system.

🔻 PHP 8.3 < 8.3.8
🔻 PHP 8.2 < 8.2.20
🔻 PHP 8.1 < 8.1.29 PHP 8.0, PHP 7 and PHP 5 are also vulnerable, but they are already in End-of-Life and are not supported. 🤷‍♂️ It is specifically emphasized that all XAMPP installations are also vulnerable by default. XAMPP is a free and open-source cross-platform web server solution containing Apache, MariaDB, PHP, Perl and a large number of additional libraries. If updating to the latest version of PHP is not possible, researchers from DEVCORE suggest configuration recommendations that prevent vulnerability exploitation. However, these recommendations apply to installations on Windows with certain language locales (Traditional Chinese, Simplified Chinese, Japanese) for which the exploitation of the vulnerability has been verified. For other locales, due to the wide range of PHP use cases, it is currently impossible to fully list and exclude all potential exploitation scenarios. Therefore, users are advised to conduct a comprehensive asset assessment, check PHP usage scenarios, and update PHP to the latest version.

На русском

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0. Vulners Team released today the second version of their Web Vulnerability Scanning plugin for Google Chrome browser. You can read my description of the version 1.0 at “Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome“.

Vulners web vulnerability scanner v.2.0

Killing feature of Vulners web scanner v. 2.0 is that you can now see all vulnerabilities on all scanned sites in a single window. You don’t need to checks all Google Chrome tabs manually.

Moreover, if some sites make request to other servers, for example googleapis.com, these servers will be checked automatically.

The plugin was fully refactored and now it is React driven. It works faster, analysis more data sources and detects vulnerabilities more accurately.

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: PHP

Trending vulnerabilities for June according to Positive Technologies

The Remote Code Execution vulnerability – PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

Critical Remote Code Execution – PHP on Windows hosts (CVE-2024-4577) vulnerability with a public exploit

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0