classification
Title: [ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service
Type: security Stage: resolved
Components: SSL Versions: Python 3.8, Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Talos, christian.heimes, larry, miss-islington, ned.deily, vstinner
Priority: normal Keywords: patch, patch, patch

Created on 2019-01-15 16:24 by Talos, last changed 2019-05-10 17:57 by ned.deily. This issue is now closed.

Files
File name Uploaded Description Edit
TALOS-2019-0758.txt Talos, 2019-01-15 16:24 Security advisory report
TALOS-2019-0758 - POC.pem Talos, 2019-01-15 16:25 poc file
Pull Requests
URL Status Linked Edit
PR 11569 merged christian.heimes, 2019-01-15 17:21
PR 11569 merged christian.heimes, 2019-01-15 17:21
PR 11569 merged christian.heimes, 2019-01-15 17:21
PR 11572 merged miss-islington, 2019-01-15 22:48
PR 11572 merged miss-islington, 2019-01-15 22:48
PR 11573 merged miss-islington, 2019-01-15 22:48
PR 11573 merged miss-islington, 2019-01-15 22:48
PR 11574 merged miss-islington, 2019-01-15 22:48
PR 11574 merged miss-islington, 2019-01-15 22:48
PR 11574 merged miss-islington, 2019-01-15 22:48
PR 11863 merged vstinner, 2019-02-15 11:15
PR 11864 merged vstinner, 2019-02-15 11:20
PR 11865 merged vstinner, 2019-02-15 11:21
PR 11866 merged vstinner, 2019-02-15 11:25
PR 11867 merged vstinner, 2019-02-15 11:34
PR 11868 merged vstinner, 2019-02-15 11:35
Messages (23)
msg333709 - (view) Author: Cisco Talos (Talos) Date: 2019-01-15 16:24
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
msg333710 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-01-15 16:30
Thanks for the report!
msg333711 - (view) Author: Cisco Talos (Talos) Date: 2019-01-15 16:38
Thanks for acknowledging.  We look forward to any updates/developments on the issue reported.

For further information about the Cisco Vendor Vulnerability Reporting and Disclosure Policy please refer to this document which also links to our public PGP key. https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html

Kind Regards,

Regina Wilson
Analyst.Business Operations
regiwils@cisco.com<mailto:regiwils@cisco.com>

[cid:CFA14CB5-B7B2-4FF7-8313-22D495F607D5@vrt.sourcefire.com]

On Jan 15, 2019, at 11:30 AM, Christian Heimes <report@bugs.python.org<mailto:report@bugs.python.org>> wrote:

Christian Heimes <lists@cheimes.de<mailto:lists@cheimes.de>> added the comment:

Thanks for the report!

----------
assignee:  -> christian.heimes
components: +SSL
nosy: +christian.heimes
stage:  -> needs patch
versions: +Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8

_______________________________________
Python tracker <report@bugs.python.org<mailto:report@bugs.python.org>>
<https://bugs.python.org/issue35746>
_______________________________________
msg333712 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-01-15 16:54
I can confirm that CPython is affected.

By the way PyCA cryptography handles the CRL DB just fine.

>>> from cryptography import x509
>>> from cryptography.hazmat.backends import default_backend
>>> with open("Lib/test/talos-2019-0758.pem", "rb") as f:
...     pem_data = f.read()
... 
>>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
>>> cert.extensions[-1]
<Extension(oid=<ObjectIdentifier(oid=2.5.29.31, name=cRLDistributionPoints)>, critical=False, value=<CRLDistributionPoints([<DistributionPoint(full_name=None, relative_name=None, reasons=None, crl_issuer=None)>])>)>
msg333713 - (view) Author: Cisco Talos (Talos) Date: 2019-01-15 17:15
The files are removed and will be reissued to PSIRT.

Regina Wilson
Analyst.Business Operations
regiwils@cisco.com<mailto:regiwils@cisco.com>

[cid:CFA14CB5-B7B2-4FF7-8313-22D495F607D5@vrt.sourcefire.com]

On Jan 15, 2019, at 12:11 PM, Cisco Talos <report@bugs.python.org<mailto:report@bugs.python.org>> wrote:

Change by Cisco Talos <vulndev@cisco.com<mailto:vulndev@cisco.com>>:

Removed file: https://bugs.python.org/file48052/TALOS-2019-0758.txt

_______________________________________
Python tracker <report@bugs.python.org<mailto:report@bugs.python.org>>
<https://bugs.python.org/issue35746>
_______________________________________
msg333714 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-01-15 17:17
I close the bug just to hide it from the home page and default search result, to have more time to fix it (make the issue less visible).
msg333715 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-01-15 17:20
Please leave the bug open and don't remove files. It's too late. The bug report has been sent to mailing lists and RSS feeds already.

Also you cannot remove any files from the bug tracker. Only admins are can do that.
msg333736 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2019-01-15 22:46
I can confirm this crashes a freshly-built interpreter from the current 3.5 and 3.4 branches.
msg333737 - (view) Author: miss-islington (miss-islington) Date: 2019-01-15 22:47
New changeset a37f52436f9aa4b9292878b72f3ff1480e2606c3 by Miss Islington (bot) (Christian Heimes) in branch 'master':
bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
https://github.com/python/cpython/commit/a37f52436f9aa4b9292878b72f3ff1480e2606c3
msg333741 - (view) Author: miss-islington (miss-islington) Date: 2019-01-15 23:03
New changeset be5de958e9052e322b0087c6dba81cdad0c3e031 by Miss Islington (bot) in branch '3.7':
bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
https://github.com/python/cpython/commit/be5de958e9052e322b0087c6dba81cdad0c3e031
msg333742 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-01-15 23:08
TALOS-2019-0758.txt: "Credit: Discovered by Colin Read and Nicolas Edet of Cisco."

Can we credit them somewhere? Maybe edit the NEWS entry to mention their name?
msg333743 - (view) Author: miss-islington (miss-islington) Date: 2019-01-15 23:11
New changeset 06b15424b0dcacb1c551b2a36e739fffa8d0c595 by Miss Islington (bot) in branch '2.7':
bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595
msg333747 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-01-16 01:16
New changeset 216a4d83c3b72f4fdcd81b588dc3f42cc461739a by Ned Deily (Miss Islington (bot)) in branch '3.6':
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (GH-11573)
https://github.com/python/cpython/commit/216a4d83c3b72f4fdcd81b588dc3f42cc461739a
msg333764 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-01-16 12:42
The bug is less critical and harder to exploit than I initially thought. td;dr if you have cert validation enabled and only trust public root CAs from CA/B forum, then you are not affected.

The bug is only exploitable under two conditions:
1) The user has disabled TLS/SSL certificate validation *and* calls getpeercert() in 3rd party code.
2) Or the user trusts a CA that does not properly validate end-entity certificates.

When cert validation is enabled, the ssl module will refuse any untrusted certificate during the handshake. The SSLSocket.getpeercert() and SSLObject.getpeercert() methods raise an exception, when the handshake was not successful. Python 2.7 - 3.6 hostname verification code only calls getpeercert() after the cert chain was validated successfully. Python 3.7+ no longer calls getpeercert() for hostname verification. Further more hostname verification can't be enabled when cert validation is disabled.

For publicly trusted CAs governed by CA/B baseline requirements, CRL DPs must by valid URI general names with HTTP links. From CA/Browser Forum Baseline Requirements Version 1.6.2, December 10, 2018, section 7.1.2.3. Subscriber Certificate:

b. cRLDistributionPoints
This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service.
msg334178 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-01-21 20:52
Does someone work on backporting the fix to 3.4 and 3.5 branches?

Note: I added the vulnerability to:
https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html
msg335599 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-15 11:25
New changeset 355f16fd4beb36d6a18f7d0982581c93de015c17 by Victor Stinner in branch 'master':
bpo-35746: Credit Colin Read and Nicolas Edet (GH-11863)
https://github.com/python/cpython/commit/355f16fd4beb36d6a18f7d0982581c93de015c17
msg335600 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-15 11:34
New changeset 826a8b708165796151ad4135b0ddbd79da6d39f1 by Victor Stinner in branch '2.7':
bpo-35746: Credit Colin Read and Nicolas Edet (GH-11866)
https://github.com/python/cpython/commit/826a8b708165796151ad4135b0ddbd79da6d39f1
msg335604 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-15 12:19
New changeset fe42122d41834746e841b5927154be041fb7afbb by Victor Stinner in branch '3.7':
bpo-35746: Credit Colin Read and Nicolas Edet (GH-11864)
https://github.com/python/cpython/commit/fe42122d41834746e841b5927154be041fb7afbb
msg335673 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-02-16 07:23
New changeset 2a3af94b7e4d7851986043348128e312ddbb2451 by Ned Deily (Victor Stinner) in branch '3.6':
bpo-35746: Credit Colin Read and Nicolas Edet (GH-11865)
https://github.com/python/cpython/commit/2a3af94b7e4d7851986043348128e312ddbb2451
msg336558 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2019-02-25 21:28
New changeset 6c655ce34ae54adb8eef22b73108e22cc381cb8d by larryhastings (Victor Stinner) in branch '3.4':
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11868)
https://github.com/python/cpython/commit/6c655ce34ae54adb8eef22b73108e22cc381cb8d
msg336587 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2019-02-26 00:17
New changeset efec7631edf3b9480dc3988c97ffef94df8800da by larryhastings (Victor Stinner) in branch '3.5':
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11867)
https://github.com/python/cpython/commit/efec7631edf3b9480dc3988c97ffef94df8800da
msg337569 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2019-03-09 10:13
Can we close this now?
msg337732 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-03-12 11:06
Yes, I close the issue.
History
Date User Action Args
2019-05-10 17:57:03ned.deilysetmessages: - msg342112
2019-05-10 17:36:41ned.deilysetmessages: + msg342112
2019-03-12 11:06:07vstinnersetstatus: open -> closed
messages: + msg337732

keywords: patch, patch, patch
resolution: fixed
stage: patch review -> resolved
2019-03-09 10:13:37larrysetkeywords: patch, patch, patch

messages: + msg337569
2019-02-26 00:17:06larrysetmessages: + msg336587
2019-02-25 21:28:39larrysetmessages: + msg336558
2019-02-16 07:23:55ned.deilysetmessages: + msg335673
2019-02-15 12:19:33vstinnersetmessages: + msg335604
2019-02-15 11:35:39vstinnersetpull_requests: + pull_request11901
2019-02-15 11:34:20vstinnersetmessages: + msg335600
2019-02-15 11:34:01vstinnersetpull_requests: + pull_request11900
2019-02-15 11:25:49vstinnersetmessages: + msg335599
2019-02-15 11:25:34vstinnersetpull_requests: + pull_request11899
2019-02-15 11:21:56vstinnersetpull_requests: + pull_request11898
2019-02-15 11:20:32vstinnersetpull_requests: + pull_request11897
2019-02-15 11:15:47vstinnersetpull_requests: + pull_request11896
2019-01-21 20:52:46vstinnersetkeywords: patch, patch, patch

messages: + msg334178
2019-01-16 12:42:11christian.heimessetkeywords: patch, patch, patch

messages: + msg333764
2019-01-16 01:16:40ned.deilysetnosy: + ned.deily
messages: + msg333747
2019-01-15 23:11:55miss-islingtonsetmessages: + msg333743
2019-01-15 23:08:07vstinnersetkeywords: patch, patch, patch

messages: + msg333742
2019-01-15 23:03:38miss-islingtonsetmessages: + msg333741
2019-01-15 22:49:01miss-islingtonsetpull_requests: + pull_request11246
2019-01-15 22:48:52miss-islingtonsetpull_requests: + pull_request11247
2019-01-15 22:48:43miss-islingtonsetpull_requests: + pull_request11245
2019-01-15 22:48:35miss-islingtonsetpull_requests: + pull_request11244
2019-01-15 22:48:24miss-islingtonsetpull_requests: + pull_request11243
2019-01-15 22:48:13miss-islingtonsetpull_requests: + pull_request11242
2019-01-15 22:48:03miss-islingtonsetpull_requests: + pull_request11241
2019-01-15 22:47:49miss-islingtonsetnosy: + miss-islington
messages: + msg333737
2019-01-15 22:46:53larrysetkeywords: patch, patch, patch
nosy: + larry
messages: + msg333736

2019-01-15 20:17:35ned.deilysetfiles: - image001.png
2019-01-15 20:17:18ned.deilysetfiles: - image001.png
2019-01-15 17:34:19christian.heimessetfiles: + TALOS-2019-0758 - POC.pem
2019-01-15 17:34:08christian.heimessetfiles: + TALOS-2019-0758.txt
2019-01-15 17:25:41vstinnersetkeywords: patch, patch, patch
title: TALOS-2018-0758 Denial of Service -> [ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service
2019-01-15 17:21:52christian.heimessetkeywords: + patch
pull_requests: + pull_request11235
2019-01-15 17:21:45christian.heimessetkeywords: + patch
pull_requests: + pull_request11234
2019-01-15 17:21:39christian.heimessetkeywords: + patch
pull_requests: + pull_request11233
2019-01-15 17:20:33christian.heimessetstatus: closed -> open
resolution: fixed -> (no value)
messages: + msg333715

stage: resolved -> patch review
2019-01-15 17:17:37vstinnersetstatus: open -> closed

nosy: + vstinner
messages: + msg333714

resolution: fixed
stage: needs patch -> resolved
2019-01-15 17:15:26Talossetfiles: + image001.png

messages: + msg333713
2019-01-15 17:11:26Talossetfiles: - TALOS-2019-0758.txt
2019-01-15 17:11:05Talossetfiles: - TALOS-2019-0758 - POC.pem
2019-01-15 16:54:46christian.heimessetmessages: + msg333712
2019-01-15 16:38:19Talossetfiles: + image001.png

messages: + msg333711
2019-01-15 16:30:21christian.heimessetassignee: christian.heimes
components: + SSL
versions: + Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
nosy: + christian.heimes

messages: + msg333710
stage: needs patch
2019-01-15 16:25:53Talossetfiles: + TALOS-2019-0758 - POC.pem
versions: - Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
2019-01-15 16:24:28Taloscreate