CVE-2024-27355 in phpseclibinfo

Summary

by MITRE • 03/02/2024

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/02/2025

The vulnerability identified as CVE-2024-27355 represents a critical denial of service flaw within the phpseclib library ecosystem, affecting versions prior to 1.0.23, 2.0.47, and 3.0.36 across their respective major versions. This issue specifically targets the ASN.1 object identifier processing functionality that is fundamental to certificate handling within cryptographic applications. The vulnerability manifests when the library encounters a malformed sub identifier within an ASN.1 object identifier structure during certificate decoding operations, creating a condition where the processing engine becomes susceptible to excessive cpu consumption.

The technical flaw stems from inadequate input validation and boundary checking within the decodeOID function responsible for parsing ASN.1 object identifiers. When an attacker provides a specially crafted certificate containing an invalid sub identifier that triggers an infinite loop or exponentially growing computational complexity, the phpseclib library enters a state of excessive resource consumption. This occurs because the parsing algorithm fails to properly validate the range and structure of sub identifiers, allowing malicious inputs to cause the decoder to perform an unbounded number of operations. The vulnerability is categorized under CWE-772, which addresses missing release of resource after effective lifetime, specifically manifesting as resource exhaustion through improper handling of ASN.1 structures.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the availability of applications relying on phpseclib for secure communications. Systems utilizing this library for SSL/TLS certificate validation, digital signature processing, or other cryptographic operations become vulnerable to denial of service attacks where an attacker can consume excessive cpu cycles and memory resources. This makes the vulnerability particularly dangerous in high-traffic environments or applications where resource constraints are already tight, as the attack can effectively render the system unresponsive or cause cascading failures in dependent services. The issue affects a wide range of applications including web servers, email systems, and cryptographic libraries that depend on phpseclib for secure certificate handling.

Mitigation strategies for CVE-2024-27355 require immediate patching of affected phpseclib versions to their respective secure releases. Organizations should prioritize updating their phpseclib dependencies to versions 1.0.23, 2.0.47, or 3.0.36 depending on their current major version. Additionally, implementing input validation at the application level can provide defense in depth, ensuring that certificate data is sanitized before being passed to phpseclib functions. Network-level protections such as rate limiting and resource monitoring can help detect and mitigate exploitation attempts. From an ATT&CK framework perspective, this vulnerability aligns with T1499.004 which covers Network Denial of Service, and T1595.001 which addresses network scanning techniques that might be used to identify vulnerable systems. The vulnerability demonstrates the importance of proper input validation and resource management in cryptographic libraries, highlighting the need for robust error handling and boundary checking in security-critical code components.

Reservation

02/25/2024

Disclosure

03/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00569

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!