cbcvebase.
CVE-2013-6420
published 2013-12-17

CVE-2013-6420: The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1)…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
35.63%
98.3th percentile
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.

Affected

63 ranges· showing 25
VendorProductVersion rangeFixed in
applemac_os_x<= 10.9.1
opensuseopensuse
opensuseopensuse
opensuseopensuse
opensuseopensuse
phpphp<= 5.3.27
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

pathext/openssl/openssl.c
  • Trigger function is openssl_x509_parse(); monitor PHP applications calling this function with externally-supplied X.509 certificates, especially those accepting self-signed certificates or certificates from untrusted sources.
  • Exploit vector is a crafted X.509 certificate containing NUL bytes in the notBefore or notAfter timestamp fields; detect certificates with embedded NUL bytes in ASN1 UTCTIME/GENERALIZEDTIME fields at the TLS inspection layer.
  • Attack can be delivered via a self-signed certificate (no CA compromise required) when the target application passes attacker-controlled certificates to openssl_x509_parse(), e.g. certificate upload/analysis endpoints.
  • Vulnerable PHP versions to flag in asset inventory: PHP 4.0.6–4.4.9, 5.0.x, 5.1.x, 5.2.x, 5.3.0–5.3.27, 5.4.0–5.4.22, 5.5.0–5.5.6.
  • WordPress installations using openssl_x509_parse() for HTTPS certificate verification (when ext/curl is not loaded) are an attack surface; a MITM with a malicious trusted cert can trigger the bug.
  • ·The memory corruption is only reachable when the PHP openssl extension is loaded and the application explicitly calls openssl_x509_parse(); installations using ext/curl for SSL (instead of PHP's openssl wrapper) are not directly exposed via the Wordpress vector.
  • ·For applications that only accept CA-signed certificates, exploitation requires a compromised or malicious CA; self-signed-cert attack paths apply only to applications that accept untrusted/self-signed certs.
  • ·Red Hat Enterprise Linux 7 ships a non-affected PHP build; patching priority should focus on RHEL 5/6, OpenShift Enterprise 1/2, and Red Hat Software Collections php55-php.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.