Solved

PHP vulnerability CVE-2014-3597 - how/what can if affect?

Posted on 2014-10-07
6
398 Views
Last Modified: 2014-10-07
I'm trying to better understand PHP vulnerability CVE-2014-3597 and determine if this affects my environment or not (and how it could affect it if so)

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3597


Specifically, if I have a small network of servers, two running DNS, and some web servers running PHP (mostly Wordpress sites for example),  do I need to be concerned about this at the moment?  (my servers run Windows but this appears to affect all PHP installations)

The posted fix is to upgrade PHP, but due to scheduling I may not be able to do this for some time so trying to gauge the severity, this may not even apply to me I don't know.


The vulnerability seems to be related to DNS - which is why I'm not sure how to interpret this.  My DNS servers don't run PHP, and I don't understand if the web sites on my web servers that do run PHP are affected from this.


Which case is it....

- Sites with an affected PHP version can be used to DOS other sites on the Internet remotely?  (does the web site have to first be comprimised/files exploited, or a remote request to a URL on the server can trigger this)

- Web server is vulnerable to being successfully hit by a DOS attacked when sites are on that server with an affected PHP version?


The NIST site describes this as:

"Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049."


(as a side note, this does appear to affect PHP running in any OS,  https://bugs.php.net/bug.php?id=67717 shows the OS is "irrevelant" so I assume this does affect our environment but I'm looking for a clear explanation of exactly how we could be affected by this)


Can someone please explain how this could affect a web server hosting PHP web sites?


Thank you
0
Comment
Question by:Vas
  • 4
6 Comments
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 250 total points
ID: 40366099
Basically, the way the exploit works is that PHP has some functions that allow you to talk to a remote DNS server. For example, you might want to create an email validation application that takes an address like foobar@gmail.com, talks to gmail.com's DNS servers to find their MX servers so you can then ask the MX servers if they have a valid mailbox for "foobar". The process to query the DNS servers is flawed in the versions mentioned in the CVE.

Basically, if you run those DNS-querying functions on a vulnerable version of PHP, and you happen to query a malicious DNS server (not gmail.com but maybe reallybadguy.evil), that DNS server could return a DNS record that is NOT meant to actually give you real results but it is crafted in such a way that it tries to exploit the bug mentioned in the CVE. This isn't a perfect example, but it could return a DNS record that is so huge that it is bigger than what PHP expects, so PHP has a hard time storing the data, and the data that DOESN'T fit in PHP's buffer spills over into an area that could be executed as if it were another kind of authorized code.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 40366104
The short answer:
1. If you're not running PHP on a server, then that server will not be affected.
2. If you are running a vulnerable version of PHP but you are not doing any DNS queries, then you will not be affected.
3. If you are doing DNS queries against only known DNS servers (e.g. against your own internal servers), then you will not be affected.
4. If you are running a vulnerable version of PHP, and you are running a PHP script that queries DNS servers, AND you are not limiting/controlling which domains/DNS servers you query, then you could be at risk.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 40366111
On a side note, you'd also likely have to be under a direct attack from a malicious user. The user would have to know that you query DNS servers with PHP, so they would have to set up a DNS server to return malicious DNS records, and then would have to do something to prompt your script to contact their DNS server. Unless you're a target of value (to a random hacker), the chances of being hit are probably pretty low. That's a lot of trouble to go through if a hacker doesn't know all the circumstances upfront.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 40366169
As I understand it, this bug is related to specific PHP functions and if your code does not use those functions, you're probably OK.  I say "probably" because the CVE and the bug report are not very clear.  Example: There is no such thing as the php_parserr function, nor is there dn_expand or dns_expand.  There is a dns_get_record() function, but you would know if you were using this in your code.  I made a search of all of my PHP libraries and I've never used it, even in external packages that I've installed, including WordPress, Joomla and others.

If it were my job to maintain the servers, I would want to make it a standard practice to keep PHP at the current level.  Current versions and release levels are shown on http://php.net
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 40366407
The dn_expand and php_parserr functions are in the C source code for the engine. The dns_get_record PHP function is the exposed function that makes use of those from the compiled engine.
0
 
LVL 1

Author Closing Comment

by:Vas
ID: 40366495
Thank you for the feedback , it was very helpful. Much appreciated.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now