.. _ssl-crl-dps-dos:

TALOS-2018-0758 SSL CRL distribution points Denial of Service
=============================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2019-5010>`_.

An exploitable denial-of-service vulnerability exists in the X509 certificate
parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate
can cause a NULL pointer dereference, resulting in a denial of service. An attacker
can initiate or accept TLS connections using crafted certificates to trigger this
vulnerability.

Christian Heimes added the following comment.

The bug is less critical and harder to exploit than I initially thought.
td;dr if you have cert validation enabled and only trust public root CAs
from CA/B forum, then you are not affected.

The bug is only exploitable under two conditions:

1) The user has disabled TLS/SSL certificate validation *and* calls
   getpeercert() in 3rd party code.

2) Or the user trusts a CA that does not properly validate end-entity certificates.

When cert validation is enabled, the ssl module will refuse any untrusted
certificate during the handshake. The SSLSocket.getpeercert() and
SSLObject.getpeercert() methods raise an exception, when the handshake was
not successful. Python 2.7 - 3.6 hostname verification code only calls
getpeercert() after the cert chain was validated successfully. Python 3.7+
no longer calls getpeercert() for hostname verification. Further more
hostname verification can't be enabled when cert validation is disabled.

For publicly trusted CAs governed by CA/B baseline requirements, CRL DPs
must by valid URI general names with HTTP links. From CA/Browser Forum
Baseline Requirements Version 1.6.2, December 10, 2018, section 7.1.2.3.
Subscriber Certificate:

b. cRLDistributionPoints

This extension MAY be present. If present, it MUST NOT be marked critical,
and it MUST contain the HTTP URL of the CA’s CRL service.

Patch by **Christian Heimes**.

Dates:

* Disclosure date: **2019-01-15** (Python issue bpo-35746 reported)
* Reported at: 2019-01-15
* Reported by: Colin Read and Nicolas Edet of Cisco.

Fixed In
--------

* Python **2.7.16** (2019-03-02) fixed by `commit 06b1542 (branch 2.7) <https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595>`_ (2019-01-15)
* Python **3.4.10** (2019-03-18) fixed by `commit 6c655ce (branch 3.4) <https://github.com/python/cpython/commit/6c655ce34ae54adb8eef22b73108e22cc381cb8d>`_ (2019-02-25)
* Python **3.5.7** (2019-03-18) fixed by `commit efec763 (branch 3.5) <https://github.com/python/cpython/commit/efec7631edf3b9480dc3988c97ffef94df8800da>`_ (2019-02-26)
* Python **3.6.9** (2019-07-02) fixed by `commit 216a4d8 (branch 3.6) <https://github.com/python/cpython/commit/216a4d83c3b72f4fdcd81b588dc3f42cc461739a>`_ (2019-01-16)
* Python **3.7.3** (2019-03-25) fixed by `commit be5de95 (branch 3.7) <https://github.com/python/cpython/commit/be5de958e9052e322b0087c6dba81cdad0c3e031>`_ (2019-01-15)
* Python **3.8.0** (2019-10-14) fixed by `commit a37f524 (branch 3.8) <https://github.com/python/cpython/commit/a37f52436f9aa4b9292878b72f3ff1480e2606c3>`_ (2019-01-15)

Python issue
------------

[ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service.

* Python issue: `bpo-35746 <https://bugs.python.org/issue35746>`_
* Creation date: 2019-01-15
* Reporter: Cisco Talos

CVE-2019-5010
-------------

An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.

* CVE ID: `CVE-2019-5010 <https://nvd.nist.gov/vuln/detail/CVE-2019-5010/>`_
* Published: 2019-10-31
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2019-01-15** as reference:

* 2019-01-15: Reported
* 2019-01-15: Disclosure date (Python issue bpo-35746 reported)
* 2019-01-15: `Python issue bpo-35746 <https://bugs.python.org/issue35746>`_ reported by Cisco Talos
* 2019-01-15: `commit 06b1542 (branch 2.7) <https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595>`_
* 2019-01-15: `commit a37f524 (branch 3.8) <https://github.com/python/cpython/commit/a37f52436f9aa4b9292878b72f3ff1480e2606c3>`_
* 2019-01-15: `commit be5de95 (branch 3.7) <https://github.com/python/cpython/commit/be5de958e9052e322b0087c6dba81cdad0c3e031>`_
* 2019-01-16 (**+1 days**): `commit 216a4d8 (branch 3.6) <https://github.com/python/cpython/commit/216a4d83c3b72f4fdcd81b588dc3f42cc461739a>`_
* 2019-02-25 (**+41 days**): `commit 6c655ce (branch 3.4) <https://github.com/python/cpython/commit/6c655ce34ae54adb8eef22b73108e22cc381cb8d>`_
* 2019-02-26 (**+42 days**): `commit efec763 (branch 3.5) <https://github.com/python/cpython/commit/efec7631edf3b9480dc3988c97ffef94df8800da>`_
* 2019-03-02 (**+46 days**): Python 2.7.16 released
* 2019-03-18 (**+62 days**): Python 3.4.10 released
* 2019-03-18 (**+62 days**): Python 3.5.7 released
* 2019-03-25 (**+69 days**): Python 3.7.3 released
* 2019-07-02 (**+168 days**): Python 3.6.9 released
* 2019-10-14: Python 3.8.0 released
* 2019-10-31 (**+289 days**): CVE-2019-5010 published

Links
-----

* https://blog.talosintelligence.com/2019/01/vulnerability-spotlight-pythonorg.html