Lucene search

K
freebsdFreeBSD47B4E713-6513-11E3-868F-0025905A4771
HistoryDec 13, 2013 - 12:00 a.m.

PHP5 -- memory corruption in openssl_x509_parse()

2013-12-1300:00:00
vuxml.freebsd.org
25

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.95 High

EPSS

Percentile

99.3%

Stefan Esser reports:

The PHP function openssl_x509_parse() uses a helper function
called asn1_time_to_time_t() to convert timestamps from ASN1
string format into integer timestamp values. The parser within
this helper function is not binary safe and can therefore be
tricked to write up to five NUL bytes outside of an allocated
buffer.
This problem can be triggered by x509 certificates that contain
NUL bytes in their notBefore and notAfter timestamp fields and
leads to a memory corruption that might result in arbitrary
code execution.
Depending on how openssl_x509_parse() is used within a PHP
application the attack requires either a malicious cert signed
by a compromised/malicious CA or can be carried out with a
self-signed cert.

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.95 High

EPSS

Percentile

99.3%