TALOS-2018-0758 SSL CRL distribution points Denial of Service¶
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.
Christian Heimes added the following comment.
The bug is less critical and harder to exploit than I initially thought. td;dr if you have cert validation enabled and only trust public root CAs from CA/B forum, then you are not affected.
The bug is only exploitable under two conditions:
- The user has disabled TLS/SSL certificate validation and calls getpeercert() in 3rd party code.
- Or the user trusts a CA that does not properly validate end-entity certificates.
When cert validation is enabled, the ssl module will refuse any untrusted certificate during the handshake. The SSLSocket.getpeercert() and SSLObject.getpeercert() methods raise an exception, when the handshake was not successful. Python 2.7 - 3.6 hostname verification code only calls getpeercert() after the cert chain was validated successfully. Python 3.7+ no longer calls getpeercert() for hostname verification. Further more hostname verification can’t be enabled when cert validation is disabled.
For publicly trusted CAs governed by CA/B baseline requirements, CRL DPs must by valid URI general names with HTTP links. From CA/Browser Forum Baseline Requirements Version 1.6.2, December 10, 2018, section 126.96.36.199. Subscriber Certificate:
This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP URL of the CA’s CRL service.
Patch by Christian Heimes.
- Disclosure date: 2019-01-15 (Python issue bpo-35746 reported)
- Reported at: 2019-01-15
- Reported by: Colin Read and Nicolas Edet of Cisco.
- Python 2.7.16 (2019-03-02) fixed by commit 06b1542 (branch 2.7) (2019-01-15)
- Python 3.4.10 (2019-03-18) fixed by commit 6c655ce (branch 3.4) (2019-02-25)
- Python 3.5.7 (2019-03-17) fixed by commit efec763 (branch 3.5) (2019-02-26)
- Python 3.6.9 (2019-07-03) fixed by commit 216a4d8 (branch 3.6) (2019-01-16)
- Python 3.7.3 (2019-03-25) fixed by commit be5de95 (branch 3.7) (2019-01-15)
[ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service.
- Python issue: bpo-35746
- Creation date: 2019-01-15
- Reporter: Cisco Talos
Timeline using the disclosure date 2019-01-15 as reference:
- 2019-01-15: Disclosure date (Python issue bpo-35746 reported)
- 2019-01-15 (+0 days): Reported
- 2019-01-15 (+0 days): Python issue bpo-35746 reported by Cisco Talos
- 2019-01-15 (+0 days): commit 06b1542 (branch 2.7)
- 2019-01-15 (+0 days): commit a37f524 (branch 3.8)
- 2019-01-15 (+0 days): commit be5de95 (branch 3.7)
- 2019-01-16 (+1 days): commit 216a4d8 (branch 3.6)
- 2019-02-25 (+41 days): commit 6c655ce (branch 3.4)
- 2019-02-26 (+42 days): commit efec763 (branch 3.5)
- 2019-03-02 (+46 days): Python 2.7.16 released
- 2019-03-17 (+61 days): Python 3.5.7 released
- 2019-03-18 (+62 days): Python 3.4.10 released
- 2019-03-25 (+69 days): Python 3.7.3 released
- 2019-07-03 (+169 days): Python 3.6.9 released