Mitel Product Security Advisory OBSO-2407-01

PHP CGI Module Argument Injection Vulnerability

Advisory ID: OBSO-2407-01

Publish Date: 2024-07-10

Last Updated: 2024-07-10

Revision: 1.0

 

Summary

In June 2024, the following vulnerabilities in the PHP were disclosed:

CVE-2024-4577: In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

OpenScape Voice Trace Manager version OSV-TM V8 R0.9.13 and earlier utilizes the vulnerable PHP scripting engine and may be affected by PHP Argument Injection Vulnerability, which could allow an unauthenticated attacker to conduct an argument injection attack. A successful exploit of this vulnerability could allow a malicious user to pass options to the PHP binary being run and thus reveal the source code of scripts and run arbitrary PHP code on the server. 

Based on the available information, the PHP Argument Injection vulnerability may only be exploited if the web server is running on Windows. This is because the root cause involves how Windows converts certain string characters, depending on the locale setting. Additionally, the web server must be running a vulnerable version of the PHP scripting engine. PHP scripting must also be exposed by the web server via the CGI mechanism or by exposing the PHP binary, which is the default configuration in XAMPP.

The vulnerability severity is rated as critical.

 

Affected Products

Product statements are related only to supported product versions. Products which have reached End of Support (M44) status are not considered.

Products confirmed affected

The following products utilize the vulnerable PHP scripting engine:

 

Products confirmed not affected

Unify OpenScape Deployment Service V10 (see Note 1)

Additional Notes

Note 1:
OpenScape Deployment Service is not directly impacted as it does not deliver PHP. DLS delivers a PHP script (dls_directory_reader.php) that the admin can use to integrate DLS into an existing Apache server. Customers that use the PHP script should check their configuration and update their PHP stack to a fixed version.

 

Risk Assessment

CVSS3.1 Base score: 9.8 (Critical)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Mitigation / Recommended Action

Customers with affected product versions are advised to update the systems with the available fixes.

Workarounds

- Operate OpenScape Voice Trace Manager in a secured network protected by a firewall
- Do not publicly expose OpenScape Voice Trace Manager web interface
- Restrict access web interface by restricting access to known ip networks/host ip addresses that require access
- Disable remote access to web interface and enable access through change management procedures when required

 

External References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4577

https://nvd.nist.gov/vuln/detail/CVE-2024-4577

https://www.cisa.gov/news-events/alerts/2024/06/12/cisa-adds-two-known-exploited-vulnerabilities-catalog

https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/

 

Related CVEs / CWEs / Advisories

CVE-2024-4577

 

Revision History

Version Date Description
1.0 10.07.2024 Initial release

 


 

Advisory: OBSO-2407-01, status: general release
Security Advisories are released as part of Mitel Unify's Vulnerability Intelligence Process. For more information see https://www.mitel.com/support/security-advisories.

Contact and Disclaimer

Mitel Product Security Office
[email protected]
© Unify Software and Solutions GmbH & Co. KG 2024
Otto-Hahn-Ring 6
D-81739 München
www.mitel.com

The information provided in this document contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and technical specifications are subject to change without notice.
Unify, OpenScape, OpenStage and HiPath are registered trademarks of Unify Software and Solutions GmbH & Co. KG.

All other company, brand, product, and service names are trademarks or registered trademarks of their respective holders

Ready to talk to sales? Contact us.