Critical PHP Vulnerabilities: Update Now to Prevent Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757)

The PHP development team recently announced security updates that addressed several vulnerabilities. The vulnerabilities are mostly critical and involve arbitrary command injection, authentication bypass, and Denial-of-Service (DoS) risks.

The widespread use of PHP exposes a large attack surface that may be vulnerable to these exploits, reiterating the urgency for patching.

What are the latest PHP vulnerabilities? CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757

The vulnerabilities addressed by PHP’s most recent update are as follows:

CVE-2024-1874(CVSS: 10)

Due to improper command-line handling on Windows, this vulnerability presents a serious risk of command injection via the array-ish $command parameter of proc_open.

Attackers may be able to execute arbitrary commands through CVE-2024-1874, which could lead to complete takeovers of systems if PHP applications run batch (.bat) or command (.cmd) files.

CVE-2024-2756(CVSS: 6.5)

Another vulnerability, CVE-2024-2756, arises from a partial fix of a previous vulnerability (CVE-2022-31629), as mentioned in PHP’s update changelog. Exploiting this vulnerability could enable attackers to set malicious cookies misinterpreted by PHP applications as __Host or __Secure cookies, thereby facilitating session hijacking or cross-site attacks. A Proof-of-Concept (PoC) exploit for this vulnerability is available on GitHub.

CVE-2024-3096 (CVSS: 4.8)

This vulnerability could allow attackers to bypass password authentication in systems utilizing password_hash, as password_verify may incorrectly return true. While it requires a user password starting with a null byte, exploitation could lead to Account Takeover (ATO) attacks.

CVE-2024-2757 (CVSS: 7.5) 

The final vulnerability affects the mb_encode_mimeheader function, which may run endlessly for certain inputs, potentially resulting in a Denial-of-Service (DoS) attack by disrupting email processing.

To easily monitor CVEs and exploitation trends in real-time, you can use SOCRadar’s Vulnerability Intelligence. The feature allows you to keep track of updates, identify exploits, and get insights for proactive vulnerability management.

Which PHP versions are affected?

The vulnerabilities CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757 affect PHP versions 8.1.28, 8.2.18, and 8.3.6.

For users of these versions, it is recommended to swiftly update to a secure version or implement the latest updates to mitigate the risk of exploitation.

For further details and to access the update announcement, visit here. Additionally, for the most recent updates and patches, you can refer to the PHP downloads page.

How to stay secure against PHP vulnerabilities?

Implementing additional security measures can significantly improve the security posture of your PHP applications and mitigate the risks associated with these vulnerabilities.

• If immediate updating is not possible, be cautious when running command-line operations from PHP, especially on Windows systems.
• Examine your cookie handling procedures to ensure that the prefixes “__Host-” and “__Secure-” are properly verified.
• Examine email processing functions to determine potential attack vectors for the mb_encode_mimeheader vulnerability.

By taking these extra precautions, you can strengthen the security of your PHP applications and minimize the impact of vulnerabilities.

Keep Your Defenses Sharp Against Exploitation with SOCRadar XTI

Stay one step ahead of cyber threats with SOCRadar’s advanced security solutions, enhancing your organization’s vulnerability management strategies.

By leveraging SOCRadar’s Attack Surface Management (ASM), along with Vulnerability Intelligence, you can stay informed about the latest security vulnerabilities and safeguard your products and software effectively.

Article Link: https://socradar.io/critical-php-vulnerabilities/