A security vulnerability has been discovered in Python's "ssl" module, specifically tied to the ssl.SSLContext methods cert_store_stats() and get_ca_certs(). The race condition occurs when these methods are simultaneously called while loading certificates into the SSLContext, such as during a TLS handshake with a certificate directory configured. This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2024-0397, and has been fixed in CPython versions 3.10.14, 3.11.9, 3.12.3, and 3.13.a5.

Here's a code snippet that demonstrates the presence of the race condition

import ssl
import threading

def get_cert_stats(ssl_context):
    return ssl_context.cert_store_stats()

def get_ca_certs(ssl_context):
    return ssl_context.get_ca_certs()

# Create an SSLContext with a certificate directory configured
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_verify_locations(capath='./certs')

# Simulate simultaneous calls to cert_store_stats() and get_ca_certs()
t1 = threading.Thread(target=get_cert_stats, args=(ssl_context,))
t2 = threading.Thread(target=get_ca_certs, args=(ssl_context,))

t1.start()
t2.start()
t1.join()
t2.join()

This code simulates two threads that concurrently call the affected cert_store_stats() and get_ca_certs() methods on an instance of ssl.SSLContext with a certificate directory configured. The race condition could be triggered depending on the system's timing.

1. Python's official announcement on the security issue: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.cert_store_stats
2. Full details and mitigation for the vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2024-0397
3. CPython's release notes and updates that included the fix: https://docs.python.org/3/whatsnew/changelog.html
4. Python's ssl module documentation: https://docs.python.org/3/library/ssl.html

Exploit Details and Impact

An attacker exploiting this vulnerability could potentially cause a denial of service or, in certain conditions, execute arbitrary code. Since the affected methods are involved in processing SSL/TLS certificates, the impact of this vulnerability could extend to the confidentiality and integrity of network communications. The SSL/TLS handshake process is crucial for establishing secure connections, so this issue poses a significant security concern.

To mitigate this risk, users are advised to update to the latest, patched version of Python. If updating is not immediately possible, users should avoid multi-threaded code that accesses the SSLContext methods in question and take additional steps to ensure that certificates are loaded before making concurrent method calls.

In conclusion, this post discussed the details of CVE-2024-0397, a memory race condition found in Python's ssl.SSLContext methods cert_store_stats() and get_ca_certs(). The vulnerability has been fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.a5. Users are urged to update their Python installations, or at the very least, mitigate the risk by following the recommendations provided in this post.

Timeline

Published on: 06/17/2024 16:15:10 UTC
Last modified on: 07/03/2024 01:44:41 UTC