ssl.match_hostname() wildcard DoS

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

If the name in the certificate contains many * characters (wildcard), matching the compiled regular expression against the host name can take a very long time.

Certificate validation happens before host name checking, so I think this is a minor issue only because it can only be triggered in cooperation with a CA (which seems unlikely).

Dates:

• Disclosure date: 2013-05-15 (Python issue bpo-17980 reported)

Fixed In

• Python 3.2.6 (2014-10-12) fixed by commit 86d53ca (branch 3.2) (2013-05-18)
• Python 3.3.3 (2013-11-17) fixed by commit 86d53ca (branch 3.2) (2013-05-18)
• Python 3.4.0 (2014-03-16) fixed by commit 86d53ca (branch 3.2) (2013-05-18)

Python issue

CVE-2013-2099 ssl.match_hostname() trips over crafted wildcard names.

• Python issue: bpo-17980
• Creation date: 2013-05-15
• Reporter: Florian Weimer

CVE-2013-2099

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

• CVE ID: CVE-2013-2099
• Published: 2013-10-09
• CVSS Score: 4.3

Timeline

Timeline using the disclosure date 2013-05-15 as reference:

• 2013-05-15: Python issue bpo-17980 reported by Florian Weimer
• 2013-05-18 (+3 days): commit 86d53ca (branch 3.2)
• 2013-10-09 (+147 days): CVE-2013-2099 published
• 2013-11-17 (+186 days): Python 3.3.3 released
• 2014-03-16: Python 3.4.0 released
• 2014-10-12 (+515 days): Python 3.2.6 released