US HC3 issues warning about critical PHP vulnerability affecting healthcare sector

The Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services (HHS) has issued a sector alert indicating a critical security vulnerability in the PHP programming language that affects the healthcare sector. The agency provides an overview of the vulnerability and strategies for remediation.

“Administrators are advised to update their systems following the discovery of a critical vulnerability in PHP that could allow remote code execution. PHP, or Hypertext Preprocessor, is a widely used open source scripting language used to create dynamic web pages and applications on Windows and Linux servers,” HC3 noted in its recent industry alert. “It is a general-purpose language that can be embedded in HTML, making it popular with developers as it simplifies HTML code.”

The vulnerability, designated CVE-2024-4577, discovered on May 7, 2024, affects all PHP versions running on Windows devices starting from version 5.x. The issue potentially affects a large number of servers worldwide. Specifically, the affected versions are branches 8.3 before 8.3.8, 8.2 before 8.2.20, and 8.1 before 8.1.29. Older version branches such as 8.0, 7, and 5 are also vulnerable but are no longer supported. Administrators are therefore advised to follow certain mitigation guidelines, as no patches are available for these unsupported versions.

“The vulnerability is actually a recurrence of an argument injection bug that was patched more than a decade ago. In 2012, an overlooked best-fit encoding conversion feature in the Windows operating system’s implementation of PHP allowed unauthenticated attackers to bypass the previous CVE-2012-1823 protections by using certain strings,” the alert continues. “The newly discovered vulnerability occurs when a server or PC is running in certain configurations that expose Common Gateway Interface (CGI), which allows web servers to execute an external program to handle HTTP or HTTPS user requests. This means that if PHP is configured to allow certain types of CGI interaction, arbitrary arguments can be injected remotely. This, in turn, would allow a potential attacker to trigger code execution on the target server and take complete control.”

According to HC3, CVE-2024-4577 only affects PHP when it is running in CGI mode, in which a web server parses HTTP requests and passes them to a PHP script for processing. “Even if PHP is not set to CGI mode, the vulnerability can still be exploited if PHP programs such as php.exe and php-cgi.exe are located in directories accessible to the web server. This configuration is set by default in XAMPP for Windows, making the platform vulnerable unless modified,” it continues.

The agency mentioned that the researcher who discovered this vulnerability explained that while it is difficult to assess whether a machine is vulnerable to the attack scenario, some systems are more vulnerable than others. “While Windows systems running Japanese, Traditional Chinese, or Simplified Chinese are all considered vulnerable, the risk to other systems depends on whether CGI mode is enabled or the PHP binary is exposed. For Windows running other languages ​​such as English, Korean, and Western European, it is currently not possible to fully enumerate and rule out all potential exploitation scenarios due to the wide range of PHP usage scenarios,” it added.

Although the vulnerability was only discovered a few days ago, cybersecurity researchers confirmed exploit attempts against the vulnerability’s honeypot servers within 24 hours of the vulnerability being publicly disclosed. As with any critical vulnerability affecting many devices, both threat actors and researchers immediately began finding vulnerable systems after the disclosure.

Since it can be difficult to determine if a system is vulnerable, researchers recommend updating the PHP installation to the latest version 8.3.8. For systems that cannot be updated immediately and for users of EoL versions, it is recommended to apply a “mod_rewrite” rule to block attacks.

HC3 also announced: “As of June 7, 2024, researchers have only tested three locales, which have now been confirmed as vulnerable. Researchers have not yet tested other locales due to the wide range of PHP usage scenarios in countries such as English, Korean, and Western Europe. Therefore, they urge users to conduct a comprehensive asset assessment to test their usage scenarios.”

In addition to an HC3 analyst note on the DDoS guide for the healthcare sector to defend against ransomware and extortion attacks, cybersecurity experts recommend that the healthcare industry recognize the ever-present threat of cyberwarfare. They suggest that cybersecurity teams should focus on training and educating employees to defend against social engineering attacks via email and network access. In addition, they advise assessing organizational risk against all potential vulnerabilities, prioritizing the implementation of a comprehensive security plan with sufficient budget, staff and tools, and developing a clear cybersecurity roadmap that is well understood across the healthcare organization.

“The Cybersecurity & Infrastructure Security Agency (CISA) also offers Cyber ​​Hygiene Vulnerability Scanning services at no charge to federal, state, local, tribal and territorial governments, as well as to critical infrastructure organizations in the public and private sectors,” HC3 added. “This service helps organizations monitor and assess their external network posture. The likelihood of cyber threat actors targeting the healthcare industry remains high.”

It added that the best course of action for healthcare organizations remains to prioritize security by being aware of the threat landscape, assessing their situation and providing their employees with the necessary tools and resources to prevent a cyberattack.

Earlier this month, HC3 issued an industry alert on vulnerabilities in industry-used Baxter Welch Allyn devices. The move follows two industrial control system (ICS) medical alerts issued by CISA on Baxter products, including the Baxter Welch Allyn Configuration Tool and the Baxter Welch Allyn Connex Spot Monitor (CSM). Both vulnerabilities received a CVSS v4 score of 9 or higher and can be remotely exploited.

Anna Ribeiro

Editor for Industrial Cyber ​​News. Anna Ribeiro is a freelance journalist with over 14 years of experience in security, data storage, virtualization and IoT.