CVE-2019-5010
📋 TL;DR
This vulnerability allows attackers to cause denial-of-service by exploiting a NULL pointer dereference in Python's X509 certificate parser. When Python processes specially crafted TLS certificates during connection establishment, it crashes, disrupting services. This affects Python applications that handle TLS connections with the vulnerable versions.
💻 Affected Systems
- Python
- Applications using Python's TLS/SSL libraries
📦 What is this software?
Leap by Opensuse
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption for Python applications handling TLS connections, potentially affecting availability of web servers, APIs, or other network services.
Likely Case
Service crashes when processing malicious TLS certificates, requiring restart of affected Python processes.
If Mitigated
Minimal impact if systems are patched or don't process untrusted TLS certificates.
🎯 Exploit Status
Attack requires ability to present crafted certificate during TLS handshake, which can be done by initiating or accepting connections. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 2.7.17, 3.6.10, and later versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:3520
Restart Required: Yes
Instructions:
1. Update Python to patched version (2.7.17+ or 3.6.10+). 2. Restart all Python applications and services. 3. For Linux distributions, use package manager: 'sudo apt-get update && sudo apt-get upgrade python' (Debian/Ubuntu) or 'sudo yum update python' (RHEL/CentOS).
🔧 Temporary Workarounds
Disable TLS certificate validation
allConfigure Python applications to not validate TLS certificates (not recommended for production)
context.verify_mode = ssl.CERT_NONE
Network filtering
allUse firewalls to restrict TLS connections to trusted sources only
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable Python services
- Use reverse proxies or load balancers to filter and inspect TLS connections before they reach vulnerable applications
🔍 How to Verify
Check if Vulnerable:
Check Python version: 'python --version' or 'python3 --version'. If version is 2.7.11 or 3.6.6 (or earlier minor versions), likely vulnerable.Check Version:
python --version && python -c "import sys; print('Python', sys.version)"Verify Fix Applied:
Verify Python version is 2.7.17+ or 3.6.10+. Test TLS functionality with known good certificates.📡 Detection & Monitoring
Log Indicators:
- Python process crashes with segmentation faults during TLS handshakes
- Application logs showing connection failures after certificate exchange
Network Indicators:
- Multiple failed TLS handshakes from single sources
- Unusual certificate patterns in TLS traffic
SIEM Query:
source="*python*" AND ("segmentation fault" OR "NULL pointer" OR "certificate parse")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- https://access.redhat.com/errata/RHSA-2019:3520
- https://access.redhat.com/errata/RHSA-2019:3725
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://security.gentoo.org/glsa/202003-26
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- https://access.redhat.com/errata/RHSA-2019:3520
- https://access.redhat.com/errata/RHSA-2019:3725
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://security.gentoo.org/glsa/202003-26
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758
