CVE-2021-30130
📋 TL;DR
This vulnerability in phpseclib allows attackers to forge RSA PKCS#1 v1.5 signatures, potentially bypassing authentication or authorization checks. It affects applications using phpseclib for cryptographic operations like SSH, SFTP, or TLS certificate validation. Any system using vulnerable versions of phpseclib for signature verification is at risk.
💻 Affected Systems
- phpseclib
📦 What is this software?
Phpseclib by Phpseclib
Phpseclib by Phpseclib
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass, unauthorized access to systems, data exfiltration, or privilege escalation through forged cryptographic signatures.
Likely Case
Authentication bypass in applications relying on phpseclib for signature verification, potentially allowing unauthorized API access or system entry.
If Mitigated
Limited impact if additional authentication layers exist, but cryptographic integrity would still be compromised.
🎯 Exploit Status
The vulnerability is in signature verification logic, making exploitation straightforward once the flaw is understood. Public proof-of-concept exists in the GitHub pull request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.31 or 3.0.7
Vendor Advisory: https://github.com/phpseclib/phpseclib/releases/tag/2.0.31
Restart Required: No
Instructions:
1. Update phpseclib via Composer: composer require phpseclib/phpseclib:^2.0.31 or composer require phpseclib/phpseclib:^3.0.7
2. For manual installation, download and replace the library files from GitHub releases.
3. Test signature verification functionality after update.
🔧 Temporary Workarounds
Disable RSA PKCS#1 v1.5 signature verification
allTemporarily disable or replace RSA PKCS#1 v1.5 signature verification with alternative methods if possible.
🧯 If You Can't Patch
- Implement additional authentication layers (multi-factor authentication, IP whitelisting)
- Monitor for unusual authentication patterns or signature verification failures
🔍 How to Verify
Check if Vulnerable:
Check composer.json or the phpseclib library version in your project. If using Composer: composer show phpseclib/phpseclibCheck Version:
composer show phpseclib/phpseclib | grep versionVerify Fix Applied:
Verify the installed version is 2.0.31+ or 3.0.7+. Test RSA PKCS#1 v1.5 signature verification with known valid and invalid signatures.📡 Detection & Monitoring
Log Indicators:
- Failed signature verification attempts
- Unexpected successful authentications
- Authentication logs showing unusual patterns
Network Indicators:
- Unusual SSH/SFTP connections
- API requests with forged signatures
SIEM Query:
source="authentication_logs" AND (event="signature_verification_failed" OR event="unexpected_authentication_success")🔗 References
- https://github.com/phpseclib/phpseclib/pull/1635
- https://github.com/phpseclib/phpseclib/releases/tag/2.0.31
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.7
- https://lists.debian.org/debian-lts-announce/2022/11/msg00024.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00025.html
- https://github.com/phpseclib/phpseclib/pull/1635
- https://github.com/phpseclib/phpseclib/releases/tag/2.0.31
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.7
- https://lists.debian.org/debian-lts-announce/2022/11/msg00024.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00025.html
