CVE-2023-37920: Certifi Trust Anchor Removal for e-Tugra Root Certificates

The cybersecurity community is constantly on alert for vulnerabilities and security risks. One recent vulnerability is the CVE-2023-37920, which pertains to Certifi, a Python library that contains a collection of Root Certificates commonly used for validating trustworthiness and identity verification in SSL and TLS hosts.

The vulnerability revolves around e-Tugra root certificates previously supported by Certifi. Due to security risks and issues in e-Tugra's systems, Certifi version 2023.07.22 removes its support for these problematic certificates, potentially causing applications using older Certifi versions to be exposed to these cybersecurity threats. In this long-read post, we will provide an overview of the CVE-2023-37920 vulnerability, its consequences, and practical ways to mitigate the risk.

Background

Certifi is a curated collection of Root Certificates for validating SSL certificates while verifying the identity of TLS hosts [1]. Certifi ensures that applications can communicate securely over the internet and provides developers with a solid foundation to build upon.

In versions prior to 2023.07.22, Certifi recognized and supported e-Tugra root certificates [2]. However, recent investigations into e-Tugra's systems and practices revealed significant security issues. As a result, Certifi decided to remove e-Tugra root certificates from its root store in the 2023.07.22 release. This effectively mitigates the security risks associated with the compromised certificates, but applications using older Certifi versions remain at risk.

Investigation and Exploit Details

The issues surrounding e-Tugra root certificates first came to light when security researchers reported potential vulnerabilities in e-Tugra's systems. These reports led to a thorough investigation, which confirmed that e-Tugra certificates indeed posed a significant security risk.

While the specifics of the e-Tugra root certificate security issues have not been publicly disclosed, it is implied that these certificates could potentially be misused to execute man-in-the-middle (MITM) attacks, intercepting and tampering with sensitive data over SSL and TLS connections. Applications and systems using Certifi versions older than 2023.07.22 are therefore at risk of exposure to these threats.

Mitigation

The recommended solution for mitigation of the CVE-2023-37920 vulnerability is to update Certifi to the latest version (i.e., 2023.07.22 or newer), which removes the problematic e-Tugra root certificates.

To update the Certifi package, you can use the following command:

pip install --upgrade certifi

This command will ensure that you are using the most recent version of Certifi, secured against the potential threats related to e-Tugra certificates.

Conclusion

CVE-2023-37920 should serve as a reminder that the cybersecurity landscape is dynamic, with new threats emerging daily. Regularly updating libraries and packages, such as Certifi, is crucial to maintaining security and privacy.

Please consult the original advisories and references for more information, especially if you are a developer using Certifi or a system administrator overseeing the use of this library.

References

1. Certifi Repository - Official Link to Certifi Github Repository
2. Certifi Repository - CHANGELOG Link to CHANGELOG
3. MITRE - CVE Details and Explanation Link to MITRE CVE Details

Disclaimer: The information presented in this post is provided for informational purposes only, and is not legal or professional advice. The reader is strongly advised to consult with an expert before making any decisions or taking any actions related to the subjects mentioned above.

Timeline

Published on: 07/25/2023 21:15:00 UTC
Last modified on: 08/03/2023 16:19:00 UTC