The Python cryptography package has a vulnerability (CVE-2024-26130) that can lead to a NULL pointer dereference in the function pkcs12.serialize_key_and_certificates, potentially crashing the Python process. This vulnerability affects cryptography version 38.. up to 42..3, and has been resolved in version 42..4.

Exploit Details

The NULL pointer dereference occurs when the pkcs12.serialize_key_and_certificates function is called with specific parameters:

A certificate with a public key that doesn't match the provided private key.

2. An encryption_algorithm with hmac_hash set using PrivateFormat.PKCS12.encryption_builder().hmac_hash(...).

In versions before 42..4, instead of raising a ValueError, the NULL pointer dereference would occur, potentially crashing the Python process.

Here's an example of the vulnerable code

from cryptography.hazmat.primitives.serialization import pkcs12
from cryptography.hazmat.primitives.serialization.pkcs12 import (
    PKCS12EncryptionBuilder,
    PKCS12KDF,
)
from cryptography.hazmat.primitives.hashes import SHA256

wrong_cert = ...  # Certificate with a public key that doesn't match 'private_key'
private_key = ...
encrypt_algo = PKCS12EncryptionBuilder().kdf(PKCS12KDF(), iteration_count=2048).hmac_hash(SHA256())

# Vulnerable call to pkcs12.serialize_key_and_certificates
pkcs12_result = pkcs12.serialize_key_and_certificates(b"bad_key", private_key, wrong_cert, [], encrypt_algo)

Mitigation

Updating the cryptography package to version 42..4 or newer is advised to fix the vulnerability. In version 42..4, a ValueError is properly raised instead of causing a NULL pointer dereference.

You can update the package using the following command

pip install --upgrade cryptography

Original References

1. Cryptography package documentation
2. CVE-2024-26130 details

Conclusion

The NULL pointer dereference vulnerability in the Python cryptography package has been fixed in version 42..4. Upgrading the package to this version or newer will properly raise a ValueError when pkcs12.serialize_key_and_certificates is called with a certificate whose public key doesn't match the provided private key and encryption_algorithm with hmac_hash set.

Timeline

Published on: 02/21/2024 17:15:09 UTC
Last modified on: 02/22/2024 19:07:27 UTC