Python Eliminated in TLS Implementation

Published are the latest programming updates for Python versions 3.1.5, 3.10.13, 3.9.18, and 3.8.18. These updates address a vulnerability (CVE-2023-40217) in the SSL.SSLSocket class of the Python library.

The vulnerability allows an attacker to bypass the TLS connection coordination stage, enabling them to process unencrypted data as if they were transmitted using a legitimate TLS connection. This vulnerability has been eliminated in the latest Python updates.

The issue, as identified on GitHub, arises from a small window of time after the socket is created, during which the data accepted by the buffer will be processed even if the connection is closed before TLS connection coordination begins. An attacker can exploit this by establishing a connection, immediately sending data, and closing the socket without waiting for a TLS connection coordination response. The attack is limited by the size of the network buffer.

The vulnerability affects server applications that use the SSL Python Library to establish secure communication channels, particularly those utilizing client certificate authentication (e.g., MTLS). While the immediate connection closure prevents a response from reaching the client, the vulnerability can still be utilized to launch attacks on APIs that can modify or delete data.

The vulnerability can also be leveraged to target clients connected to a controlled attack server, wherein clients that start reading data from a socket without sending a prior request can be exploited. However, ordinary client applications like PIP, which utilize HTTPS to send requests, are not affected by this vulnerability.

In addition to the above-mentioned vulnerability, another one has been eliminated in Python 3.11.x. This vulnerability (CVE-2023-41105) allowed circumventing the validation of permissible file paths executed through the OS.path.normpath() function.

The second vulnerability

/Reports, release notes, official announcements.