[CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

CVE-2020-15523 is an invalid search path in Python 3.6 and later on Windows. It occurs during Py_Initialize() when the runtime attempts to pre-load python3.dll. If Py_SetPath() has been called, the expected location is not set, and locations elsewhere on the user’s system will be searched.

This issue is not triggered when running python.exe. It only applies when CPython has been embedded in another application.

The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only), 3.6.12 (source only).

Other than applying the patch, applications may mitigate the vulnerability by explicitly calling LoadLibrary() on their copy of python3.dll before calling Py_Initialize(). Even with the patch applied, applications should include a copy of python3.dll alongside their main Python DLL.

Thanks to Eric Gantumur for detecting and reporting the issue to the Python Security Response Team.

The https://bugs.python.org/issue41304 issue fixed a regression in this vulnerability fix.

The original discovery credit goes to Eran Shimony and Ido Hoorvitch from CyberArk.

  • Disclosure date: 2017-03-10 (Python issue bpo-29778 reported)
  • Reported at: 2020-06-24 (email to PSRT)
  • Reported by: Erdenebat (Eric) Gantumur

Fixed In

Vulnerable Versions

  • Python 3.6 (need release)
  • Python 3.7 (need release)

Python issue

[CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath.

  • Python issue: bpo-29778
  • Creation date: 2017-03-10
  • Reporter: Tibor Csonka

CVE-2020-15523

In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.

Timeline

Timeline using the disclosure date 2017-03-10 as reference: