.. _ssl-null-subjectaltnames:

ssl: NULL in subjectAltNames
============================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2013-4238>`_.

SSL module fails to handle NULL bytes inside subjectAltNames general names.

It's related to `Ruby's CVE-2013-4073
<http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/>`_.

Issue #18709 reported by Christian Heimes at 2013-08-12.

Dates:

* Disclosure date: **2013-06-27** (Ruby issue)
* Reported by: Ryan Sleevi of the Google Chrome Security Team

Fixed In
--------

* Python **2.6.9** (2013-10-29) fixed by `commit 82f8828 (branch 2.7) <https://github.com/python/cpython/commit/82f88283171933127f20f866a7f98694b29cca56>`_ (2013-08-23)
* Python **2.7.6** (2013-11-10) fixed by `commit 82f8828 (branch 2.7) <https://github.com/python/cpython/commit/82f88283171933127f20f866a7f98694b29cca56>`_ (2013-08-23)
* Python **3.2.6** (2014-10-12) fixed by `commit ec3c103 (branch 3.2) <https://github.com/python/cpython/commit/ec3c103520a5061e657581b388e2b8ba6f74602a>`_ (2014-09-30)
* Python **3.3.3** (2013-11-17) fixed by `commit 824f7f3 (branch 3.3) <https://github.com/python/cpython/commit/824f7f366d1b54d2d3100c3130c04cf1dfb4b47c>`_ (2013-08-16)
* Python **3.4.0** (2014-03-16) fixed by `commit 824f7f3 (branch 3.3) <https://github.com/python/cpython/commit/824f7f366d1b54d2d3100c3130c04cf1dfb4b47c>`_ (2013-08-16)

Python issue
------------

SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238).

* Python issue: `bpo-18709 <https://bugs.python.org/issue18709>`_
* Creation date: 2013-08-12
* Reporter: Christian Heimes

CVE-2013-4238
-------------

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

* CVE ID: `CVE-2013-4238 <https://nvd.nist.gov/vuln/detail/CVE-2013-4238/>`_
* Published: 2013-08-18
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 4.3

Timeline
--------

Timeline using the disclosure date **2013-06-27** as reference:

* 2013-06-27: Disclosure date (Ruby issue)
* 2013-08-12 (**+46 days**): `Python issue bpo-18709 <https://bugs.python.org/issue18709>`_ reported by Christian Heimes
* 2013-08-16 (**+50 days**): `commit 824f7f3 (branch 3.3) <https://github.com/python/cpython/commit/824f7f366d1b54d2d3100c3130c04cf1dfb4b47c>`_
* 2013-08-18 (**+52 days**): CVE-2013-4238 published
* 2013-08-23 (**+57 days**): `commit 82f8828 (branch 2.7) <https://github.com/python/cpython/commit/82f88283171933127f20f866a7f98694b29cca56>`_
* 2013-10-29 (**+124 days**): Python 2.6.9 released
* 2013-11-10 (**+136 days**): Python 2.7.6 released
* 2013-11-17 (**+143 days**): Python 3.3.3 released
* 2014-03-16: Python 3.4.0 released
* 2014-09-30 (**+460 days**): `commit ec3c103 (branch 3.2) <https://github.com/python/cpython/commit/ec3c103520a5061e657581b388e2b8ba6f74602a>`_
* 2014-10-12 (**+472 days**): Python 3.2.6 released

Links
-----

* https://nvd.nist.gov/vuln/detail/CVE-2013-4073/