Critical RCE Vulnerability on Python (CVE-2021-3177)

Critical RCE Vulnerability on Python (CVE-2021-3177)

Python Software Foundation (PSF) has released updates to fix a critical Buffer Overflow vulnerability (CVE-2021-3177) alongside another Web Cache Poisoning vulnerability (CVE-2021-23336).

Overview

Critical RCE Vulnerability on Python (CVE-2021-3177): Python Software Foundation (PSF) has fixed two vulnerabilities, first of which is a critical Buffer Overflow vulnerability (CVE-2021-3177) with a CVSS rating of 9.8, and the second one is a Web Cache Poisoning type (CVE-2021-23336) with a CVSS rating of 5.9.

Description

The first vulnerability (CVE-2021-3177) is a Remote Code Execution (RCE) vulnerability that exist in the Python language. The vulnerability stems from a buffer overflow bug in PyCArg_repr in _ctypes/callproc.c library. Specifically, the bug arise from not checking the length of the sprintf() function in this particular library.

case 'd':         
   sprintf(buffer, "<cparam '%c' (%f)>", 
      self->tag, self->value.d);         
   break;

Due to the vulnerability, attackers could trigger RCE attacks via a stack crash on applications that use ctypes without carefully sanitizing the passed input. Note that, unsuccessful RCE attacks could also result in Denial of Service (DoS) on the vulnerable applications. Python versions 3.x through 3.9.1 are affected from CVE-2021-3177.

The second vulnerability (CVE-2021-23336) that affects the language is a Web Cache Poisoning vulnerability. The vulnerability stems from different request interpretations between the proxy (running with default configuration) and the server when attackers deliberately separate queries using a semicolon (;) on urllib.parse.parse_qs and urllib.parse.parse_qsl (i.e., parameter cloaking).

Python versions before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are affected from CVE 2021-23336.

Impact

An attacker who successfully exploits the CVE-2021-3177 vulnerability could conduct Remote Code Execution (RCE) attacks via a stack crash or render the vulnerable applications non-functioning (Denial of Service) in case of unsuccessful exploitations.

Impact Summary (CVE-2021-3177)

Category: Remote Code Execution (RCE)
CVSS 3.1 Base Score: 9.8 Critical
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An attacker who successfully exploits the CVE-2021-23336 vulnerability could conduct Web Cache Poisoning attacks, where malicious requests could be cached as safe ones.

Impact Summary (CVE-2021-23336)

Category: Web Cache Poisoning
CVSS 3.1 Base Score: 5.9 Medium
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

Solution (Update/Workaround)

To defend against possible attacks due to the announced vulnerabilities, Python should be updated to the most recent and secure versions as advised by the Python Insider. Python Software Foundation has currently addressed both vulnerabilities with the release of Python 3.8.8 and 3.9.2.

Quote by Doug Linder
Quote by Doug Linder

A good programmer is someone who always looks both ways before crossing a one-way street.

Doug Linder

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?