PHP vulnerability CVE-2014-3597 - how/what can if affect?
I'm trying to better understand PHP vulnerability CVE-2014-3597 and determine if this affects my environment or not (and how it could affect it if so)
http://web.nvd.nist.gov/vi
Specifically, if I have a small network of servers, two running DNS, and some web servers running PHP (mostly Wordpress sites for example), do I need to be concerned about this at the moment? (my servers run Windows but this appears to affect all PHP installations)
The posted fix is to upgrade PHP, but due to scheduling I may not be able to do this for some time so trying to gauge the severity, this may not even apply to me I don't know.
The vulnerability seems to be related to DNS - which is why I'm not sure how to interpret this. My DNS servers don't run PHP, and I don't understand if the web sites on my web servers that do run PHP are affected from this.
Which case is it....
- Sites with an affected PHP version can be used to DOS other sites on the Internet remotely? (does the web site have to first be comprimised/files exploited, or a remote request to a URL on the server can trigger this)
- Web server is vulnerable to being successfully hit by a DOS attacked when sites are on that server with an affected PHP version?
The NIST site describes this as:
"Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049."
(as a side note, this does appear to affect PHP running in any OS, https://bugs.php.net/bug.php?id=67717 shows the OS is "irrevelant" so I assume this does affect our environment but I'm looking for a clear explanation of exactly how we could be affected by this)
Can someone please explain how this could affect a web server hosting PHP web sites?
Thank you
http://web.nvd.nist.gov/vi
Specifically, if I have a small network of servers, two running DNS, and some web servers running PHP (mostly Wordpress sites for example), do I need to be concerned about this at the moment? (my servers run Windows but this appears to affect all PHP installations)
The posted fix is to upgrade PHP, but due to scheduling I may not be able to do this for some time so trying to gauge the severity, this may not even apply to me I don't know.
The vulnerability seems to be related to DNS - which is why I'm not sure how to interpret this. My DNS servers don't run PHP, and I don't understand if the web sites on my web servers that do run PHP are affected from this.
Which case is it....
- Sites with an affected PHP version can be used to DOS other sites on the Internet remotely? (does the web site have to first be comprimised/files exploited, or a remote request to a URL on the server can trigger this)
- Web server is vulnerable to being successfully hit by a DOS attacked when sites are on that server with an affected PHP version?
The NIST site describes this as:
"Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049."
(as a side note, this does appear to affect PHP running in any OS, https://bugs.php.net/bug.php?id=67717 shows the OS is "irrevelant" so I assume this does affect our environment but I'm looking for a clear explanation of exactly how we could be affected by this)
Can someone please explain how this could affect a web server hosting PHP web sites?
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On a side note, you'd also likely have to be under a direct attack from a malicious user. The user would have to know that you query DNS servers with PHP, so they would have to set up a DNS server to return malicious DNS records, and then would have to do something to prompt your script to contact their DNS server. Unless you're a target of value (to a random hacker), the chances of being hit are probably pretty low. That's a lot of trouble to go through if a hacker doesn't know all the circumstances upfront.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The dn_expand and php_parserr functions are in the C source code for the engine. The dns_get_record PHP function is the exposed function that makes use of those from the compiled engine.
ASKER
Thank you for the feedback , it was very helpful. Much appreciated.
1. If you're not running PHP on a server, then that server will not be affected.
2. If you are running a vulnerable version of PHP but you are not doing any DNS queries, then you will not be affected.
3. If you are doing DNS queries against only known DNS servers (e.g. against your own internal servers), then you will not be affected.
4. If you are running a vulnerable version of PHP, and you are running a PHP script that queries DNS servers, AND you are not limiting/controlling which domains/DNS servers you query, then you could be at risk.