Colin Read and Nicolas Edet of Cisco Talos discovered these vulnerabilities.

Executive summary

Python.org contains an exploitable denial-of-service vulnerability in its X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. Python can crash if getpeercert() is called on a TLS connection, which uses a certificate with invalid DistributionPoint in its extension.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Python to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Python.org CPython X509 certificate parsing denial-of-service vulnerability (TALOS-2018-0758/CVE-2018-5010)

A denial-of-service vulnerability exists on Python.org in its X509 certificate parser. An attacker could exploit this bug by delivering a specially crafted X509 certificate to Python.org. Python assumes a valid distpoint. And if the certificate contains a crafted certificate DistributionPoint with both a blank distributionPoint and cRLIssuer, it could cause a NULL pointer dereference, leading to a denial of service.

For more information on this vulnerability, read the complete advisory here.

Versions tested

Talos tested and confirmed that versions 2.7.11, 3.6.6, 3.5.2 and 3 master at 480833808e918a1dcebbbcfd07d5a8de3c5c2a66 of Python.org CPython are affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48854, 48855