CVE-2023-40217: A High Severity Vulnerability in Python’s SSLSocket
A critical security vulnerability has been discovered in Python’s SSLSocket module. This vulnerability, CVE-2023-40217, allows an attacker to bypass the TLS handshake and inject malicious data into a secure connection.
The vulnerability is caused by a race condition in the SSLSocket implementation. When a socket is closed before the TLS handshake is complete, the socket may still be able to read data from the attacker. This data will be treated as if it had been encrypted by TLS, even though the handshake was never completed.
This vulnerability is particularly dangerous for HTTPS servers and other server-side protocols that use TLS client authentication. An attacker could exploit this vulnerability to bypass the TLS handshake and inject a malicious client certificate into the connection. This would allow the attacker to gain access to the server’s resources without being authenticated.
The CVE-2023-40217 vulnerability also affects clients that are reading and processing data from the server after a TLS handshake without sending any data first. However, our team is unaware of any protocols that use TLS in this way.
The vulnerability does not affect client-side HTTPS connections like pip or requests. This is because an HTTP request must be sent before an HTTP response is read. By the time the client is sending an HTTP request, the connection would already be closed, leading to an error.
The vulnerability also affects servers that aren’t using TLS client certificate authentication. However, in this case, the vulnerability has no impact. An attacker could bypass the TLS handshake and inject a query into the connection, but they would not be able to gain access to the server’s resources because they would not be authenticated.
The affected versions of Python are:
- Python 3.12.0a1 to 3.12.0rc1
- Python 3.11.0 to 3.11.4
- Python 3.10.0 to 3.10.12
- Python 3.9.0 to 3.9.17
- Python 3.8.0 to 3.8.17
- Python 3.7.17 and earlier
There are a few ways to mitigate this vulnerability:
- Upgrade to Python 3.11.5, 3.10.13, 3.9.18, or 3.8.18.
- Apply a patch for your corresponding version of Python.
- Add a call to
SSLSocket.wrap_socket()before any calls to
SSLSocket.recv(). This call to
getpeername()will raise an OSError if the socket isn’t connected, thus mitigating the vulnerability.
If you are using an affected version of Python, it is important to take steps to mitigate this vulnerability as soon as possible.