Mitel Product Security Advisory 24-0018
Mitel Product Security Advisory 24-0018
PHP Argument Injection Vulnerability Affecting Mitel Products
Advisory ID: 24-0018
Publish Date: 2024-07-10
Last Updated: 2024-07-10
Revision: 1.0
Summary
In June 2024, the following vulnerabilities in PHP were disclosed:
CVE-2024-4577: In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Based on the available information, the PHP Argument Injection vulnerability may only be exploited if the web server is running on Windows. This is because the root cause involves how Windows converts certain string characters, depending on the locale setting. Additionally, the web server must be running a vulnerable version of the PHP scripting engine. PHP scripting must also be exposed by the web server via the CGI mechanism or by exposing the PHP binary, which is the default configuration in XAMPP.
Affected Products
Security Bulletins are being issued for the following products:
Product Name | Product Version | Security Bulletin | Last Updated |
---|---|---|---|
MiContact Center Enterprise | 9.7 SP1 and earlier | 24-0018-001 | 2024-07-10 |
Mitel CMG Suite | 9.0 and earlier | 24-0018-002 | 2024-07-10 |
Risk Assessment
The risk for CVE-2024-4577 vulnerability is rated as Critical. Refer to the product Security Bulletins for additional statements regarding risk.
Mitigation / Recommended Action
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
External References
- NVD - CVE-2024-4577 (nist.gov)
- CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- Security Alert: CVE-2024-4577 - PHP CGI Argument Injection Vulnerability | DEVCORE
Related CVEs / CWEs / Advisories
CVE-2024-4577
Revision History
Version | Date | Description |
---|---|---|
1.0 | 2024-07-10 | Initial version |