CVE-2024-8926

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Oct 7, 2024 / Updated: 43d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using certain non-standard configurations of Windows codepages, the fixes for a previous vulnerability (CVE-2024-4577) may be bypassed. This bypass can lead to command injection related to Windows "Best Fit" codepage behavior. The vulnerability potentially allows malicious users to pass options to the PHP binary being run, which could result in revealing the source code of scripts or running arbitrary PHP code on the server.

Impact

The impact of this vulnerability is severe, with a CVSS v3.1 base score of 8.1 (HIGH severity). It affects the confidentiality, integrity, and availability of the system, all rated as HIGH. Successful exploitation could allow attackers to: 1. Reveal the source code of PHP scripts, potentially exposing sensitive information or application logic. 2. Execute arbitrary PHP code on the affected server, which could lead to complete system compromise. 3. Potentially escalate privileges or perform other malicious actions depending on the server configuration and the attacker's capabilities. The vulnerability has a network attack vector, requires no user interaction, and no privileges, making it potentially attractive to attackers despite its high attack complexity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. The issue has been addressed in PHP versions 8.1.30, 8.2.24, and 8.3.12 and later versions. Patch details were added on 2024-10-07, and there is an associated bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2317050) for further information.

Mitigation

1. Update PHP installations to the patched versions immediately: 8.1.30 or later for the 8.1 branch, 8.2.24 or later for the 8.2 branch, and 8.3.12 or later for the 8.3 branch. 2. If immediate patching is not possible, implement additional security measures: - Restrict access to PHP installations, especially on Windows systems. - Review and tighten configurations related to Windows codepages. - Implement strict input validation and sanitization for any user-supplied data that might interact with PHP processes. 3. Conduct a thorough assessment of all PHP installations in your environment to identify affected systems. 4. Monitor the Red Hat security advisory (https://access.redhat.com/security/cve/cve-2024-8926) for any updated information or additional mitigation strategies. 5. After applying patches, verify that the fix has been successfully implemented and that systems are no longer vulnerable. 6. Consider implementing additional security layers, such as Web Application Firewalls (WAF), to help mitigate potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8926. See article

Sep 26, 2024 at 2:12 PM / news-web.php.net: php.internals
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514132)

Sep 27, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (514133)

Sep 27, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (38961)

Sep 27, 2024 at 7:53 AM
Threat Intelligence Report

CVE-2024-8926 is a critical OS Command Injection vulnerability that allows remote attackers to execute arbitrary OS commands on the system due to improper input validation in the PHP-CGI implementation. The details provided do not specify a CVSS score, evidence of exploitation in the wild, proof-of-concept exploits, or available mitigations and patches. Additionally, there is no information regarding downstream impacts to other third-party vendors or technologies. See article

Sep 28, 2024 at 12:25 AM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 28, 2024 at 4:00 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (286178)

Oct 2, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208018)

Oct 2, 2024 at 11:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208048)

Oct 3, 2024 at 3:15 AM
Static CVE Timeline Graph

Affected Systems

Php-fpm/php-fpm
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

Vendor Advisory

CVE-2024-8926
CVE Id: CVE-2024-8926 Release Date: 2024-10-07 Update Date: 2024-10-07 Impact Moderate Description No description is available for this CVE. Bugzilla 2317050 - php: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass) Affected Packages and Issued Red Hat Security Errata

References

Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
OS Command Injection: The vulnerability allows a remote attacker to send specially crafted HTTP request to the application and execute arbitrary OS commands on the system due to improper input validation in PHP-CGI implementation. Security features bypass: The vulnerability allows a remote attacker to bypass implemented security restriction and gain unauthorized access to the application due to environment variable collision, which can lead to cgi.force_redirect bypass.
📢 Multiple Vulnerabilities in PHP Could Allow for Remote Code Execution
OS Command Injection: The vulnerability allows a remote attacker to send specially crafted HTTP request to the application and execute arbitrary OS commands on the system due to improper input validation in PHP-CGI implementation. Security features bypass: The vulnerability allows a remote attacker to bypass implemented security restriction and gain unauthorized access to the application due to environment variable collision, which can lead to cgi.force_redirect bypass.

News

Prepare NEWS for 8.4.0
Fixed bug GH-16265 (Added early return case when result is 0) (Saki Takamachi). Fixed missing error when adding asymmetric visibility to static properties.
Fedora 41 : php (2024-a03b06dbd0)
The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-a03b06dbd0 advisory. The remote Fedora host is missing one or more security updates.
Fix 8.4 NEWS file
Fixed bug GH-16265 (Added early return case when result is 0) (Saki Takamachi). Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
Merge branch 'PHP-8.3' into PHP-8.4
Fixed bug GH-16265 (Added early return case when result is 0) (Saki Takamachi). Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
microsoft_mariner CVE-2024-8926: CVE-2024-8926
Released Last Updated: 11/3/2024 CVEs: CVE-2024-8926 Plugins: 210131
See 69 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI