phpseclib, Variable-time HMAC comparison, No CVE (Low)

Listen to this Post

The vulnerability exists in `phpseclib\Net\SSH2::get_binary_packet()` at lines 3405 and 3410 (master branch). When verifying an SSH packet’s HMAC, the code uses PHP’s `!=` operator to compare the received HMAC ($hmac) against the locally computed hash. For equal-length binary strings, `!=` internally calls `memcmp()` via zend_binary_strcmp(). Modern libc implementations of `memcmp()` short‑circuit and return as soon as a differing byte is found. This creates a timing side‑channel: the comparison takes linearly more time the longer the matching prefix is. The same bug exists in all supported branches (1.0, 2.0, 3.0, master). The path is reached for every non‑AEAD cipher (e.g., aes128-ctr, 3des-cbc) combined with any non‑AEAD MAC (e.g., hmac-sha2-256). Proof‑of‑concept benchmarks show a monotonic timing increase with mismatch position – e.g., on 1024‑byte strings the delta between first‑byte and last‑byte mismatch is ~92 ns. `hash_equals()` would be constant‑time, and the library already uses it in nine other places. Although real‑world network exploitation is infeasible due to SSH disconnecting on MAC failure and per‑connection session keys, the issue is a genuine CWE‑208 (observable timing discrepancy) that breaks cryptographic hygiene.

dailycve form:

Platform: phpseclib SSH2
Version: 1.0/2.0/3.0/master
Vulnerability: Variable‑time HMAC comparison
Severity: Low
date: 2026-04-11

Prediction: Immediate patch release

What Undercode Say:

Check vulnerable lines in SSH2.php
grep -n '!= \$this->hmac_check->hash' phpseclib/Net/SSH2.php
Verify hash_equals usage elsewhere
grep -r 'hash_equals' phpseclib/ --include=".php" | wc -l
Run timing PoC (requires PHP 8+)
php poc/02_scaling_test.php
One‑liner fix for all branches
sed -i 's/if (\$hmac != \$this->hmac_check->hash(/if (!hash_equals(\$this->hmac_check->hash(/' phpseclib/Net/SSH2.php

how Exploit:

Remote exploitation impossible – timing signal (~3‑14 ns) drowned by network jitter (100 µs+). Local attacker with repeated connections cannot accumulate oracle because each MAC failure disconnects and fresh session keys rotate. No byte‑by‑byte recovery (PoC 5 shows negative/random timing delta). Theoretical only.

Protection from this CVE

Replace `!=` with `hash_equals()` in SSH2.php lines 3405 and 3410 (and equivalent lines in branches 3.0, 2.0, 1.0). Upgrade to patched version once released, or manually apply the one‑liner fix. No configuration workaround exists.

Impact:

Low (defense‑in‑depth). No known plaintext recovery, no forgery, no integrity loss. Improves cryptographic hygiene and silences static analysis warnings. CVSS v3.1 = 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top