CVE-2023-0567 Overview
CVE-2023-0567 is a Weak Hash Algorithm vulnerability in PHP's password_verify() function that may accept certain invalid Blowfish hashes as valid. This authentication weakness affects PHP versions 8.0.X before 8.0.28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3. If an invalid hash is stored in a password database, the application could incorrectly authenticate any password as valid for that entry, effectively bypassing password authentication entirely.
Critical Impact
Applications using affected PHP versions may allow unauthorized access by accepting any password for entries with malformed Blowfish hashes in the password database.
Affected Products
- PHP 8.0.X before 8.0.28
- PHP 8.1.X before 8.1.16
- PHP 8.2.X before 8.2.3
Discovery Timeline
- 2023-03-01 - CVE-2023-0567 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-0567
Vulnerability Analysis
This vulnerability stems from improper validation within PHP's password_verify() function when processing Blowfish (bcrypt) password hashes. The function fails to properly reject certain malformed Blowfish hash formats, leading to a condition where these invalid hashes will match against any provided password input.
The authentication bypass occurs when a corrupted or intentionally malformed Blowfish hash is stored in the application's password database. Under normal circumstances, password_verify() should reject such hashes and return false. However, due to the validation flaw, the function may return true regardless of the password provided, allowing complete authentication bypass for the affected user account.
This vulnerability is classified under CWE-916 (Use of Password Hash With Insufficient Computational Effort), as the improper hash validation undermines the security guarantees that bcrypt hashing is designed to provide.
Root Cause
The root cause lies in insufficient validation of Blowfish hash format integrity within PHP's password_verify() implementation. The function does not adequately verify that the provided hash conforms to the expected bcrypt structure before performing comparison operations. When processing certain malformed hashes, the validation logic fails silently, leading the function to incorrectly report successful password verification.
Attack Vector
The attack requires local access and depends on a malformed Blowfish hash being present in the password database. This could occur through:
- Database corruption or manipulation by an attacker with database access
- Application bugs that generate or store improperly formatted hashes
- Data migration errors that corrupt hash values
- Deliberate insertion of malformed hashes during account creation
Once a malformed hash exists in the database, any authentication attempt against that account using password_verify() will succeed regardless of the password provided. The vulnerability does not require user interaction and can be exploited without any special privileges once the precondition (malformed hash in database) is met.
The vulnerability mechanism involves the hash validation logic within password_verify(). When a specially malformed Blowfish hash is passed to the function, improper boundary checking or format validation allows the comparison to succeed with arbitrary input passwords. For detailed technical analysis, refer to the GitHub Security Advisory GHSA-7fj2-8x79-rjf4.
Detection Methods for CVE-2023-0567
Indicators of Compromise
- Malformed or unusually short Blowfish hashes in password database tables (valid bcrypt hashes should be 60 characters)
- Successful authentication events for accounts with invalid or corrupted password hashes
- Multiple accounts being accessed with different passwords that all succeed
- Unusual authentication patterns showing accounts accessible with any password input
Detection Strategies
- Implement database integrity checks to validate bcrypt hash format (should match pattern $2[ayb]$[0-9]{2}$[./A-Za-z0-9]{53})
- Monitor PHP version across infrastructure and alert on vulnerable versions (8.0.X < 8.0.28, 8.1.X < 8.1.16, 8.2.X < 8.2.3)
- Audit authentication logs for anomalous successful login patterns
- Deploy application-level logging around password_verify() calls to capture hash validation results
Monitoring Recommendations
- Enable verbose authentication logging to capture all password_verify() operations
- Implement automated scanning for vulnerable PHP versions using SentinelOne Singularity platform
- Monitor database tables containing password hashes for unexpected modifications or malformed entries
- Set up alerts for bulk successful authentication events that may indicate exploitation
How to Mitigate CVE-2023-0567
Immediate Actions Required
- Upgrade PHP to patched versions: 8.0.28+, 8.1.16+, or 8.2.3+
- Audit password database for any malformed Blowfish hashes and reset affected accounts
- Implement additional application-level hash format validation before calling password_verify()
- Review authentication logs for evidence of exploitation prior to patching
Patch Information
PHP has released security updates addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- PHP 8.0.28 or later for 8.0.X branch
- PHP 8.1.16 or later for 8.1.X branch
- PHP 8.2.3 or later for 8.2.X branch
Additional information is available in the PHP Bug Report #81744 and the GitHub Security Advisory GHSA-7fj2-8x79-rjf4. NetApp customers should also review the NetApp Security Advisory ntap-20230331-0008.
Workarounds
- Add application-level validation to verify bcrypt hash format before passing to password_verify()
- Implement hash length checks ensuring all bcrypt hashes are exactly 60 characters
- Consider temporary lockout of accounts with detected malformed password hashes pending hash reset
- Deploy Web Application Firewall rules to add additional authentication validation layers
# Check PHP version and verify patched status
php -v | grep -E "PHP 8\.(0\.(2[8-9]|[3-9][0-9])|1\.(1[6-9]|[2-9][0-9])|2\.([3-9]|[1-9][0-9]))"
# Audit database for malformed bcrypt hashes (example for MySQL)
# Valid bcrypt hashes should be 60 characters matching expected pattern
mysql -e "SELECT id, username FROM users WHERE LENGTH(password_hash) != 60 OR password_hash NOT REGEXP '^\$2[ayb]\$[0-9]{2}\$';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
