phpseclib: Input Validation Error, CVE-2024-27354 (High)

Listen to this Post

🐢▶️ Listen🚀

How CVE-2024-27354 Works

The vulnerability exists in the `isPrime()` and `randomPrime()` functions of phpseclib’s `BigInteger` implementation. These functions lack proper size validation for user‑supplied input. An unauthenticated remote attacker can craft a malformed X.509 certificate containing an extremely large prime number (e.g., tens of thousands of bits) and feed it to an application that uses these functions. When the application attempts to verify the primality of that huge number, the library performs a computationally expensive probabilistic primality test. The lack of size guardrails allows the test to run for an inordinately long time, consuming 100% CPU and effectively halting the application. This results in a classic Denial of Service (DoS) condition. The issue was discovered by researchers Shi and Bing et al. and presented at USENIX Security ’25. The root cause is the absence of a hard bound on the bit length of numbers passed to these functions, allowing an attacker to force arbitrary CPU‑intensive operations.

DailyCVE Form

Platform: phpseclib
Version: 1.0.0‑1.0.22,2.0.0‑2.0.46,3.0.0‑3.0.35
Vulnerability: Input validation error
Severity: High
Date: 2024‑02‑27

Prediction: Patch expected 2024‑02‑23

What Undercode Say:

Check your phpseclib version
composer show phpseclib/phpseclib | grep versions
If vulnerable, update to a fixed version
composer require phpseclib/phpseclib:^1.0.23 for 1.x
composer require phpseclib/phpseclib:^2.0.47 for 2.x
composer require phpseclib/phpseclib:^3.0.36 for 3.x

Exploit:

No public exploit is available. However, an attacker would deliver a specially crafted X.509 certificate (e.g., during a TLS handshake or as a PKCS8 key) containing an oversized prime. When the application calls `isPrime()` on that value, the library enters a prolonged primality test, exhausting CPU resources.

Protection from this CVE

• Upgrade to phpseclib 1.0.23, 2.0.47, or 3.0.36 or later.
• If using the GMP extension, ensure it has internal size guardrails (though upgrading is the primary fix).
• Rate‑limit or filter incoming ASN.1 structures that could trigger primality checks.

Impact

• Scope: Unauthenticated remote attacker can cause a Denial of Service.
• Technical consequence: High CPU consumption leading to application unresponsiveness or crash.
• CVSS Base Score: 7.5 (High) – Network exploitable, low attack complexity, no privileges required.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin