GHSA-79rc-jjh6-rc89: 
PHP vulnerability analysis and mitigation

A high severity vulnerability (GHSA-79rc-jjh6-rc89) was identified in PocketMine-MP affecting versions >= 5.2.0 and < 5.3.1. The vulnerability was discovered and disclosed on September 13, 2023, with patches released in versions 4.23.1 and 5.3.1. The issue affects the server's handling of LoginPacket identityPublicKey during the network packet encryption process (GitHub Advisory).

The vulnerability stems from improper validation of elliptic curve (EC) keys during the ECDH (Elliptic Curve Diffie-Hellman) key exchange process. The server uses ECDH to calculate a shared secret for symmetric encryption of network packets post-login. While Minecraft: Bedrock Edition specifically requires the secp384r1 curve, the server failed to properly validate that the client-provided key belonged to the same curve. The vulnerability received a CVSS score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

When exploited, this vulnerability could cause the server to crash due to an uncaught exception during ECDH key derivation. This occurs when a client provides a key belonging to a different curve (such as secp256r1) or when using non-EC keys (like RSA or DH) with SHA384 hashing algorithm for JWT signatures (GitHub Advisory).

The vulnerability was patched in versions 4.23.1 and 5.3.1 through commit 4e646d19a4a1e0d082bd4d1f5a58ae0182a268d9. As a workaround, server administrators can implement a plugin to handle LoginPacket and verify that all identityPublicKeys in JWT bodies belong to secp384r1 by checking opensslpkeygetdetails($key)["ec"]["curvename"] (GitHub Commit).