CVE-2013-6420
published 2013-12-17CVE-2013-6420: The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1)…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
35.63%
98.3th percentile
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.9.1 | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| php | php | <= 5.3.27 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger function is openssl_x509_parse(); monitor PHP applications calling this function with externally-supplied X.509 certificates, especially those accepting self-signed certificates or certificates from untrusted sources. ↗
- →Exploit vector is a crafted X.509 certificate containing NUL bytes in the notBefore or notAfter timestamp fields; detect certificates with embedded NUL bytes in ASN1 UTCTIME/GENERALIZEDTIME fields at the TLS inspection layer. ↗
- →Attack can be delivered via a self-signed certificate (no CA compromise required) when the target application passes attacker-controlled certificates to openssl_x509_parse(), e.g. certificate upload/analysis endpoints. ↗
- →Vulnerable PHP versions to flag in asset inventory: PHP 4.0.6–4.4.9, 5.0.x, 5.1.x, 5.2.x, 5.3.0–5.3.27, 5.4.0–5.4.22, 5.5.0–5.5.6. ↗
- →WordPress installations using openssl_x509_parse() for HTTPS certificate verification (when ext/curl is not loaded) are an attack surface; a MITM with a malicious trusted cert can trigger the bug. ↗
- ·The memory corruption is only reachable when the PHP openssl extension is loaded and the application explicitly calls openssl_x509_parse(); installations using ext/curl for SSL (instead of PHP's openssl wrapper) are not directly exposed via the Wordpress vector. ↗
- ·For applications that only accept CA-signed certificates, exploitation requires a compromised or malicious CA; self-signed-cert attack paths apply only to applications that accept untrusted/self-signed certs. ↗
- ·Red Hat Enterprise Linux 7 ships a non-affected PHP build; patching priority should focus on RHEL 5/6, OpenShift Enterprise 1/2, and Red Hat Software Collections php55-php. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2013-12-12·CVSS 7.5
CVE-2013-6420 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Stefan Esser discovered that PHP incorrectly parsed certificates. An
attacker could use a malformed certificate to cause PHP to crash, resulting
in a denial of service, or possibly execute arbitrary code. (CVE-2013-6420)
It was discovered that PHP incorrectly handled DateInterval objects. An
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2013-6712)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
php: memory corruption in openssl_x509_parse()
vendor_redhat·2013-12-10·CVSS 7.5
CVE-2013-6420 [HIGH] CWE-130 php: memory corruption in openssl_x509_parse()
php: memory corruption in openssl_x509_parse()
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.
Package: php (OpenShift Enterprise 1) - Affected
Package: php (Red Hat Enterprise Linux 7) - Not affected
Package: php (Red Hat OpenShift Enterprise 2) - Affected
Package: php55-php (Red Hat Software Collections) - Affected
GHSA
GHSA-m6pq-hhvx-694c: The asn1_time_to_time_t function in ext/openssl/openssl
ghsa_unreviewed·2022-05-14
CVE-2013-6420 [HIGH] CWE-119 GHSA-m6pq-hhvx-694c: The asn1_time_to_time_t function in ext/openssl/openssl
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.
No detection rules found.
Bugzilla
CVE-2013-6420 php: memory corruption in openssl_x509_parse() [fedora-all]
bugzilla·2013-12-11·CVSS 7.5
CVE-2013-6420 [HIGH] CVE-2013-6420 php: memory corruption in openssl_x509_parse() [fedora-all]
CVE-2013-6420 php: memory corruption in openssl_x509_parse() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects
Bugzilla
CVE-2013-6420 php: memory corruption in openssl_x509_parse()
bugzilla·2013-12-02·CVSS 7.5
CVE-2013-6420 [HIGH] CVE-2013-6420 php: memory corruption in openssl_x509_parse()
CVE-2013-6420 php: memory corruption in openssl_x509_parse()
Stefan Esser reported a vulnerability in the PHP openssl extension. A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter.
Acknowledgements:
Red Hat would like to thank the PHP project for reporting this issue. Upstream acknowledges Stefan Esser as the original reporter of this issue.
Discussion:
This issue ha
http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel%21http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=c1224573c773b6845e83505f717fbf820fc18415http://lists.opensuse.org/opensuse-updates/2013-12/msg00125.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00126.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1813.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1815.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1824.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1825.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1826.htmlhttp://secunia.com/advisories/59652http://support.apple.com/kb/HT6150http://www.debian.org/security/2013/dsa-2816http://www.php.net/ChangeLog-5.phphttp://www.securityfocus.com/bid/64225http://www.securitytracker.com/id/1029472http://www.ubuntu.com/usn/USN-2055-1https://bugzilla.redhat.com/show_bug.cgi?id=1036830https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.htmlhttp://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel%21http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=c1224573c773b6845e83505f717fbf820fc18415http://lists.opensuse.org/opensuse-updates/2013-12/msg00125.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00126.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1813.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1815.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1824.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1825.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1826.htmlhttp://secunia.com/advisories/59652http://support.apple.com/kb/HT6150http://www.debian.org/security/2013/dsa-2816http://www.php.net/ChangeLog-5.phphttp://www.securityfocus.com/bid/64225http://www.securitytracker.com/id/1029472http://www.ubuntu.com/usn/USN-2055-1https://bugzilla.redhat.com/show_bug.cgi?id=1036830https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html
2013-12-17
Published