If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
A few days ago the news broke that a critical security vulnerability has been discovered in the Python SSLSocket module, the vulnerability (already listed under CVE-2023-40217) allows an attacker to bypass the TLS handshake and inject malicious data into a secure connection.
It is mentioned that the problem in the SSLSocket class that you could skip during the TLS connection negotiation stage and related processes, such as certificate verification. A successful attack can cause unencrypted data to be treated as if it had been transmitted over a valid TLS connection.
The affected versions of Python are mentioned to be:
- Python 3.12.0a1 to 3.12.0rc1
- Python 3.11.0 to 3.11.4
- Python 3.10.0 to 3.10.12
- Python 3.9.0 to 3.9.17
- Python 3.8.0 to 3.8.17
- Python 3.7.17 and earlier
The problem is due to the fact that after creating the socket, there is a small window during which the data received and stored in the buffer they will be treated as read from the client if the connection is closed before the TLS connection negotiation process begins. To carry out an attack, just establish a connection, send data immediately, and close the socket without waiting for a response to negotiate a TLS connection. The size of data that can be sent during an attack is limited by the size of the network buffer.
Vulnerability affects server applications (for example, HTTPS servers) and other server-side protocols which use Python's standard SSL client authentication to organize a secure communication channel using client certificate authentication (for example, mTLS). This vulnerability is particularly dangerous for HTTPS servers, as they an attacker could exploit this vulnerability to bypass the TLS handshake and inject a rogue client certificate into the connection. This would allow the attacker to gain access to server resources without being authenticated.
In addition to this, it is mentioned that it can also be used to attack clients connecting to a server controlled by an attacker if these clients immediately proceed to read data from the socket, without first sending a request (normal client applications, such as pip, which use HTTPS to send requests, the vulnerability is not affected).
Vulnerability it can only be used to send data without going through certificate authentication; since the connection is closed immediately, the response to the request will not be sent to the client. At the same time, the vulnerability can be used for API attacks, through which changes can be made or data deleted.
This vulnerability *affects* clients that read and process data from the server after a TLS handshake without sending any data first. Our team is unaware of a protocol using TLS that fits this usage pattern.
This vulnerability *does not* affect client-side HTTPS connections such as pip or requests, since an HTTP request must be sent before reading an HTTP response, which means that the connection will already be closed by the time the client sends a request. HTTP request, which will cause an error.
Moreover, It is worth mentioning that another vulnerability in Python has also been fixed. (CVE-2023-41105) which was also important, as it could be used to bypass valid file path checks performed by a function.
Vulnerability is due to the fact that if the path contains characters with a null code ('\0'), since a function cuts the path after the first null character. In this case, in subsequent functions for working with files, the full path can be used, instead of the truncated path. The problem appears only in the 3.11.x branch.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link