Python Buffer Over-Read Vulnerability (Jul 2024) - Linux

2024-08-1300:00:00

plugins.openvas.org

python

buffer over-read

vulnerability

sslcontext

npn

openssl

3.10

linux

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

7.5

Confidence

Low

JSON

Python is prone to a buffer over-read vulnerability in
SSLContext.set_npn_protocols().

# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:python:python";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.114744");
  script_version("2024-08-14T05:05:52+0000");
  script_tag(name:"last_modification", value:"2024-08-14 05:05:52 +0000 (Wed, 14 Aug 2024)");
  script_tag(name:"creation_date", value:"2024-08-13 08:37:31 +0000 (Tue, 13 Aug 2024)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:P/A:N");

  script_cve_id("CVE-2024-5642");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Python Buffer Over-Read Vulnerability (Jul 2024) - Linux");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2024 Greenbone AG");
  script_family("General");
  script_dependencies("gb_python_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("python/detected", "Host/runs_unixoide");

  script_tag(name:"summary", value:"Python is prone to a buffer over-read vulnerability in
  SSLContext.set_npn_protocols().");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The product doesn't disallow configuring an empty list ('[]')
  for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This
  results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability
  is of low severity due to NPN being not widely used and specifying an empty list likely being
  uncommon in-practice (typically a protocol name would be configured).");

  script_tag(name:"affected", value:"Python versions prior to 3.10.");

  script_tag(name:"solution", value:"Suggested mitigation by the vendor is one of the following:

  - Update to Python 3.10 or later where NPN isn't supported

  - Avoid using NPN via SSLContext.set_npn_protocols()

  - Avoid providing an empty list as a parameter to SSLContext.set_npn_protocols()");

  script_xref(name:"URL", value:"https://mail.python.org/archives/list/[email protected]/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/");
  script_xref(name:"URL", value:"https://github.com/python/cpython/pull/23014");
  script_xref(name:"URL", value:"https://github.com/python/cpython/issues/121227");
  script_xref(name:"URL", value:"https://osv.dev/vulnerability/PSF-2024-6");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE,
                                          version_regex: "^[0-9]+\.[0-9]+\.[0-9]+"))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_less(version: version, test_version: "3.10.0")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.10.0", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);