CVE-2024-39689 - Exploiting Untrusted Root Certificates in Certifi Version 2021.05.30 through 2024.07.04

Certifi is a widely used Python package that provides a trusted and up-to-date collection of root certificates for verifying SSL connections. It ensures that the browser or application you are using can trust a website's SSL/TLS certificates by validating them with its trusted root certificates. However, in Certifi versions from 2021.05.30 to 2024.07.04, a security vulnerability (CVE-2024-39689) has been discovered which can lead to severe exploitation risks.

Problem Description

Certifi versions 2021.05.30 through 2024.07.04 include root certificates from a Certificate Authority (CA) called GLOBALTRUST. Due to some long-running and unresolved compliance issues with GLOBALTRUST, they are in the process of being removed from Mozilla's root trust store. Consequently, Certifi has also removed GLOBALTRUST's root certificates in version 2024.07.04. Failure to update Certifi to the latest version (2024.07.04 or later) could expose applications to Man-in-the-middle (MITM) attacks or other possible security risks.

Exploit Details

In order to exploit this vulnerability, an attacker needs to make use of a GLOBALTRUST issued certificate, ensuring that the victim's application uses an outdated version of Certifi (2021.05.30 to 2024.07.04).

Here's a code snippet that shows an example of how this vulnerability can be exploited

import requests
from certifi import where

# HTTP request to a website with a GLOBALTRUST issued certificate
response = requests.get('https://untrusted.example.com';, verify=where())

print("Successfully accessed untrusted.example.com", response.status_code)

In the code above, we utilize requests library along with where() function from Certifi to access a website (untrusted.example.com) that has an untrusted GLOBALTRUST certificate. Due to the obsolete trust store in the vulnerable Certifi version, the request does not raise any SSL/TLS certificate validation error, allowing the attacker to perform MITM attacks undetected.

Mitigation

To address this vulnerability, it is recommended to update Certifi to version 2024.07.04 or later, which has removed GLOBALTRUST's root certificates. To upgrade Certifi using pip, you can execute the following command:

pip install certifi --upgrade

Original References

- Certifi - Certifi Documentation
- Mozilla CA Certificate Program - Official Mozilla documentation on the CA Certificate Program
- Mozilla Trust Store Removal - Mozilla Bugzilla report detailing the GLOBALTRUST non-compliance and removal process

Timeline

Published on: 07/05/2024 19:15:10 UTC
Last modified on: 07/08/2024 15:49:22 UTC