[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface

In the ipaddress library there exists two classes IPv4Interface, and IPv6Interface. These classes’ hash functions will always return 32 and 64 respectively. If IPv4Interface or IPv6Interface objects then are put in a dictionary, on for example a server storing IPs, this will cause hash collisions, which in turn can lead to DOS.

Resolve hash collisions for IPv4Interface and IPv6Interface. The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation.

  • Disclosure date: 2020-06-17 (Python issue bpo-41004 reported)

Fixed In

Vulnerable Versions

  • Python 3.6 (need release)
  • Python 3.7 (need release)

Python issue

[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface.

  • Python issue: bpo-41004
  • Creation date: 2020-06-17
  • Reporter: martin wennberg

CVE-2020-14422

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

Timeline

Timeline using the disclosure date 2020-06-17 as reference: