ssl: NULL in subjectAltNames¶
SSL module fails to handle NULL bytes inside subjectAltNames general names.
It’s related to Ruby’s CVE-2013-4073.
Issue #18709 reported by Christian Heimes at 2013-08-12.
- Disclosure date: 2013-06-27 (Ruby issue)
- Reported by: Ryan Sleevi of the Google Chrome Security Team
Fixed In¶
- Python 2.6.9 (2013-10-29) fixed by commit 82f8828 (branch 2.7) (2013-08-23)
- Python 2.7.6 (2013-11-10) fixed by commit 82f8828 (branch 2.7) (2013-08-23)
- Python 3.2.6 (2014-10-11) fixed by commit ec3c103 (branch 3.2) (2014-09-30)
- Python 3.3.3 (2013-11-17) fixed by commit 824f7f3 (branch 3.3) (2013-08-16)
- Python 3.4.0 (2014-03-16) fixed by commit 824f7f3 (branch 3.3) (2013-08-16)
Python issue¶
SSL module fails to handle NULL bytes inside subjectAltNames general names (CVE-2013-4238).
- Python issue: bpo-18709
- Creation date: 2013-08-12
- Reporter: Christian Heimes
CVE-2013-4238¶
The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a ‘0’ character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
- CVE ID: CVE-2013-4238
- Published: 2013-08-18
- CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2013-06-27 as reference:
- 2013-06-27: Disclosure date (Ruby issue)
- 2013-08-12 (+46 days): Python issue bpo-18709 reported by Christian Heimes
- 2013-08-16 (+50 days): commit 824f7f3 (branch 3.3)
- 2013-08-18 (+52 days): CVE-2013-4238 published
- 2013-08-23 (+57 days): commit 82f8828 (branch 2.7)
- 2013-10-29 (+124 days): Python 2.6.9 released
- 2013-11-10 (+136 days): Python 2.7.6 released
- 2013-11-17 (+143 days): Python 3.3.3 released
- 2014-03-16: Python 3.4.0 released
- 2014-09-30 (+460 days): commit ec3c103 (branch 3.2)
- 2014-10-11 (+471 days): Python 3.2.6 released