{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/asn1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["phpseclib (\u003e= 0.0.11, \u003c= 1.0.28)","phpseclib (\u003e= 2.0.0, \u003c= 2.0.53)","phpseclib (\u003e= 3.0.0, \u003c= 3.0.51)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","asn1","phpseclib"],"_cs_type":"advisory","_cs_vendors":["phpseclib"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in the phpseclib library, affecting versions 0.0.11 through 1.0.28, 2.0.0 through 2.0.53, and 3.0.0 through 3.0.51. The vulnerability stems from improper handling of ASN.1 files, specifically during the \u003ccode\u003edecodeOID()\u003c/code\u003e function. When an application using a vulnerable version of phpseclib loads a crafted, malicious ASN.1 file (e.g., an X.509 certificate or RSA PKCS8 key), it can trigger excessive resource consumption, leading to a denial-of-service condition. This is due to the OID amplification. Successful exploitation can prevent legitimate users from accessing the affected service or application. Defenders should upgrade to the patched versions of phpseclib to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious ASN.1 file containing an overly complex or deeply nested OID structure.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted ASN.1 file to a system running a vulnerable application that uses phpseclib for ASN.1 parsing. This could be achieved through various means, such as uploading the file to a web server, emailing it as an attachment, or injecting it into a database.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application loads the crafted ASN.1 file using phpseclib.\u003c/li\u003e\n\u003cli\u003ephpseclib\u0026rsquo;s \u003ccode\u003eASN1::decodeOID()\u003c/code\u003e function is called to parse the OID within the ASN.1 file.\u003c/li\u003e\n\u003cli\u003eDue to the overly complex structure of the malicious OID, the \u003ccode\u003edecodeOID()\u003c/code\u003e function consumes excessive CPU and memory resources.\u003c/li\u003e\n\u003cli\u003eThe excessive resource consumption degrades the performance of the application and the underlying system.\u003c/li\u003e\n\u003cli\u003eRepeated attempts to load the malicious ASN.1 file further exacerbate the resource exhaustion, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access the application or service, causing disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, rendering applications relying on phpseclib unavailable. The impact is high, as affected applications could be critical infrastructure or business-critical services. The number of potential victims is significant, as phpseclib is a widely used library in PHP-based applications. This vulnerability is particularly concerning for applications that handle untrusted ASN.1 files, such as those involved in certificate validation or cryptographic key management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecomposer/phpseclib/phpseclib\u003c/code\u003e package to a patched version (later than 1.0.28, 2.0.53, and 3.0.51) to remediate CVE-2026-44167.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e) for unusual patterns of ASN.1 file uploads or processing that may indicate an attempted exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High CPU Usage by PHP\u003c/code\u003e to identify potential DoS attacks related to this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-06T12:00:00Z","date_published":"2024-05-06T12:00:00Z","id":"/briefs/2024-05-phpseclib-dos/","summary":"A vulnerability exists in phpseclib when loading untrusted ASN1 files, potentially leading to an OID amplification denial-of-service (DoS) in the ASN1::decodeOID() function.","title":"phpseclib OID Amplification DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-05-phpseclib-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Asn1","version":"https://jsonfeed.org/version/1.1"}