Hash DoS¶
Hash collision denial of service.
Python 2.7 and older and Python 3.2 and older require the -R
command
line option to enable the enable hash function randomization. Randomization
is enabled by default since Python 3.3 (the -R
option is ignored).
“Effective Denial of Service attacks against web application platforms” talk at the CCC: 2011-12-28
See also the PEP 456: Secure and interchangeable hash algorithm: Python 3.4 switched to SipHash.
- Ruby: CRuby 1.9 fixed the vulnerability in 2008 with randomized hash function; JRuby has also been fixed.
- Perl: Perl 5.8.1 fixed the vulnerability in 2003 using a random “PERL_HASH_SEED”.
Dates:
- Disclosure date: 2011-12-28 (CCC talk)
- Reported by: Alexander “alech” Klink and Julian “zeri” Wälde
Fixed In¶
- Python 2.6.8 (2012-04-10) fixed by commit 1e13eb0 (branch 2.6) (2012-02-21)
- Python 2.7.3 (2012-04-09) fixed by commit 1e13eb0 (branch 2.6) (2012-02-21)
- Python 3.1.5 (2012-04-06) fixed by commit 2daf6ae (branch 2.7) (2012-02-20)
- Python 3.2.3 (2012-04-10) fixed by commit 2daf6ae (branch 2.7) (2012-02-20)
- Python 3.3.0 (2012-09-29) fixed by commit 2daf6ae (branch 2.7) (2012-02-20)
Python issue¶
Hash collision security issue.
- Python issue: bpo-13703
- Creation date: 2012-01-03
- Reporter: Barry A. Warsaw
CVE-2012-1150¶
Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
- CVE ID: CVE-2012-1150
- Published: 2012-10-05
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2011-12-28 as reference:
- 2011-12-28: Disclosure date (CCC talk)
- 2012-01-03 (+6 days): Python issue bpo-13703 reported by Barry A. Warsaw
- 2012-02-20 (+54 days): commit 2daf6ae (branch 2.7)
- 2012-02-21 (+55 days): commit 1e13eb0 (branch 2.6)
- 2012-04-06 (+100 days): Python 3.1.5 released
- 2012-04-09 (+103 days): Python 2.7.3 released
- 2012-04-10 (+104 days): Python 2.6.8 released
- 2012-04-10 (+104 days): Python 3.2.3 released
- 2012-09-29: Python 3.3.0 released
- 2012-10-05 (+282 days): CVE-2012-1150 published