Phpseclib Large Binaryfield Integer Vulnerability

EXECUTIVE SUMMARY:

A security vulnerability has been identified within a widely used cryptographic library that permits uncontrolled resource consumption via a network attack vector. Carrying a high severity rating and a CVSS score of 7.5, this flaw presents a significant risk to service availability without requiring elevated privileges or user interaction. The vulnerability stems from a lack of input validation when processing specific mathematical fields, allowing attackers to trigger excessive computational overhead. Organizations utilizing this library for cryptographic operations must address this weakness to prevent potential service disruptions and maintain operational stability.[emaillocker id="1283"]

CVE-2023-49316: This vulnerability involves a denial of service flaw within the binary field component of the library. It is triggered when the system processes excessively large degrees during the parsing of untrusted files, such as cryptographic certificates or private keys. The lack of guardrails on these integers leads to exhaustive resource consumption, effectively crashing the affected application. This issue impacts environments where untrusted ASN.1 encoded data is accepted and processed for cryptographic validation.

The primary risk associated with this flaw is the total loss of availability for services relying on the library for secure communications. Immediate remediation is necessary to ensure that the processing of malicious cryptographic files does not result in a sustained denial of service.

RECOMMENDATION:

• We recommend you to update composer/phpseclib/phpseclib to version 3.0.34.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-2f25-pfq3-c7h8