Python Software Rushes to Tackle RCE VulnerabilityVulnerability Could Remotely Shut Down Machines
The Python Software Foundation is sending updates for Python 3.9.2 and 3.8.8 to address critical security vulnerabilities, including a remote code execution vulnerability that can be exploited to shut down systems.
Python is a programming language that can be used to develop complex scientific and numeric applications. Its features facilitate data analysis and visualization.
PSF urged its software users to update systems to Python 3.8.8 or 3.9.2 to address a remote code execution, or RCE, vulnerability tracked as CVE-2021-3177 and another flaw tracked as CVE-2021-23336, which concerns a web cache poisoning vulnerability caused by defaulting the query args separator to & and allowing users to choose a custom separator.
The PSF has noted that the severity of potential impacts will depend on what the Python application does, hence it had not viewed the update as urgent until users called for release of a fix.
Once the announcement of the releases for 3.9.2 on 3.8.8 were made public, PSF says it received inquiries from end users urging the company to expedite the final releases, especially to address CVE-2021-3177, due to the security content.
"This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime. It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place," the PSF notes.
Python 3.x through 3.9.1 has a buffer overflow in PyCArg repr in ctypes/callproc.c, which may lead to remote code execution which, in certain Python applications, accepts floating-point numbers as untrusted input.
Martin Jartelius, chief security officer at Outpost24, tells Information Security Media Group that the seriousness of this vulnerability is entirely dependent on what you are doing with Python.
"If you have an exposed application, and the application accepts floatpoint numbers, you have a risk of crashes on that system. So having Python support on your server does not make this a remote exploitable bug to be concerned about, but if you are running important applications on top of Python and would like to keep them running, then updating with a tad of urgency would be advisable," Jartelius notes.
Red Hat also evaluates this vulnerability as having a high impact as it can cause a distributed denial-of-service attack. "The highest threat from this vulnerability is to system availability," the company says.
“Applications that use ctypes without carefully validating the input passed to them may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application,” Red Hat notes in a separate blog post.
"Denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today," the PSF notes.
Jartelius suggests that users should not panic but nonetheless recommends that affected users immediately resolve the issue.