New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service #79927
Comments
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. |
Thanks for the report! |
Thanks for acknowledging. We look forward to any updates/developments on the issue reported. For further information about the Cisco Vendor Vulnerability Reporting and Disclosure Policy please refer to this document which also links to our public PGP key. https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html Kind Regards, Regina Wilson [cid:CFA14CB5-B7B2-4FF7-8313-22D495F607D5@vrt.sourcefire.com] On Jan 15, 2019, at 11:30 AM, Christian Heimes <report@bugs.python.org<mailto:report@bugs.python.org>> wrote: Christian Heimes <lists@cheimes.de<mailto:lists@cheimes.de>> added the comment: Thanks for the report! ---------- Python tracker <report@bugs.python.org<mailto:report@bugs.python.org>> |
I can confirm that CPython is affected. By the way PyCA cryptography handles the CRL DB just fine. >>> from cryptography import x509
>>> from cryptography.hazmat.backends import default_backend
>>> with open("Lib/test/talos-2019-0758.pem", "rb") as f:
... pem_data = f.read()
...
>>> cert = x509.load_pem_x509_certificate(pem_data, default_backend())
>>> cert.extensions[-1]
<Extension(oid=<ObjectIdentifier(oid=2.5.29.31, name=cRLDistributionPoints)>, critical=False, value=<CRLDistributionPoints([<DistributionPoint(full_name=None, relative_name=None, reasons=None, crl_issuer=None)>])>)> |
The files are removed and will be reissued to PSIRT. Regina Wilson [cid:CFA14CB5-B7B2-4FF7-8313-22D495F607D5@vrt.sourcefire.com] On Jan 15, 2019, at 12:11 PM, Cisco Talos <report@bugs.python.org<mailto:report@bugs.python.org>> wrote: Change by Cisco Talos <vulndev@cisco.com<mailto:vulndev@cisco.com>>: Removed file: https://bugs.python.org/file48052/TALOS-2019-0758.txt Python tracker <report@bugs.python.org<mailto:report@bugs.python.org>> |
I close the bug just to hide it from the home page and default search result, to have more time to fix it (make the issue less visible). |
Please leave the bug open and don't remove files. It's too late. The bug report has been sent to mailing lists and RSS feeds already. Also you cannot remove any files from the bug tracker. Only admins are can do that. |
I can confirm this crashes a freshly-built interpreter from the current 3.5 and 3.4 branches. |
TALOS-2019-0758.txt: "Credit: Discovered by Colin Read and Nicolas Edet of Cisco." Can we credit them somewhere? Maybe edit the NEWS entry to mention their name? |
The bug is less critical and harder to exploit than I initially thought. td;dr if you have cert validation enabled and only trust public root CAs from CA/B forum, then you are not affected. The bug is only exploitable under two conditions:
When cert validation is enabled, the ssl module will refuse any untrusted certificate during the handshake. The SSLSocket.getpeercert() and SSLObject.getpeercert() methods raise an exception, when the handshake was not successful. Python 2.7 - 3.6 hostname verification code only calls getpeercert() after the cert chain was validated successfully. Python 3.7+ no longer calls getpeercert() for hostname verification. Further more hostname verification can't be enabled when cert validation is disabled. For publicly trusted CAs governed by CA/B baseline requirements, CRL DPs must by valid URI general names with HTTP links. From CA/Browser Forum Baseline Requirements Version 1.6.2, December 10, 2018, section 7.1.2.3. Subscriber Certificate: b. cRLDistributionPoints |
Does someone work on backporting the fix to 3.4 and 3.5 branches? Note: I added the vulnerability to: |
Can we close this now? |
Yes, I close the issue. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: