Mitel Product Security Advisory 24-0018

Advisory ID: 24-0018

Publish Date: 2024-07-10

Last Updated: 2024-07-10

Revision: 1.0

Summary

In June 2024, the following vulnerabilities in PHP were disclosed:

CVE-2024-4577: In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Based on the available information, the PHP Argument Injection vulnerability may only be exploited if the web server is running on Windows. This is because the root cause involves how Windows converts certain string characters, depending on the locale setting. Additionally, the web server must be running a vulnerable version of the PHP scripting engine. PHP scripting must also be exposed by the web server via the CGI mechanism or by exposing the PHP binary, which is the default configuration in XAMPP.

Affected Products

Security Bulletins are being issued for the following products:

Risk Assessment

The risk for CVE-2024-4577 vulnerability is rated as Critical. Refer to the product Security Bulletins for additional statements regarding risk.

Mitigation / Recommended Action

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

• NVD - CVE-2024-4577 (nist.gov)
• CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
• Security Alert: CVE-2024-4577 - PHP CGI Argument Injection Vulnerability | DEVCORE

Related CVEs / CWEs / Advisories

CVE-2024-4577

Revision History