CVE-2019-9948
📋 TL;DR
This vulnerability in Python 2.x's urllib library allows attackers to bypass file URI blacklists using the 'local_file:' scheme, enabling unauthorized file system access. It affects Python 2.x up to version 2.7.16. Applications using urllib.urlopen() with user-controlled input are vulnerable.
💻 Affected Systems
- Python
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote attackers could read sensitive system files like /etc/passwd, /etc/shadow, or application configuration files, potentially leading to credential theft and system compromise.
Likely Case
Attackers bypass security controls to read arbitrary files accessible to the application process, exposing sensitive data and configuration information.
If Mitigated
With proper input validation and URI scheme restrictions, impact is limited to attempted exploitation that fails due to blocked schemes.
🎯 Exploit Status
Simple exploitation requires only constructing a malicious URL with local_file: scheme. No authentication needed if application accepts external input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 2.7.17 and later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:1700
Restart Required: Yes
Instructions:
1. Update Python to version 2.7.17 or later. 2. For Linux distributions, use package manager: 'sudo apt-get update && sudo apt-get install python2.7' (Debian/Ubuntu) or 'sudo yum update python' (RHEL/CentOS). 3. Restart affected applications.
🔧 Temporary Workarounds
Input Validation Filter
allValidate and sanitize all user input before passing to urllib.urlopen(), rejecting any URIs with local_file: scheme.
# Python code example:
import re
from urlparse import urlparse
def safe_urlopen(url):
parsed = urlparse(url)
if parsed.scheme.lower() in ['local_file', 'file']:
raise ValueError('Prohibited URI scheme')
return urllib.urlopen(url)
Application Firewall Rule
linuxBlock requests containing 'local_file:' strings at web application firewall or reverse proxy level.
# nginx configuration example:
location / {
if ($request_uri ~* "local_file") {
return 403;
}
}
🧯 If You Can't Patch
- Implement strict input validation to reject any URIs containing 'local_file:' scheme
- Use application-level file access controls instead of urllib for local file operations
🔍 How to Verify
Check if Vulnerable:
Check Python version with 'python --version'. If version is 2.7.16 or earlier, test with: python -c "import urllib; print(urllib.urlopen.__doc__)" and look for local_file handling.Check Version:
python --versionVerify Fix Applied:
After update, verify Python version is 2.7.17+. Test that local_file: scheme is rejected: python -c "import urllib; urllib.urlopen('local_file:///etc/passwd')" should fail.📡 Detection & Monitoring
Log Indicators:
- Failed file access attempts with local_file: scheme in application logs
- Unusual file read patterns from web applications
Network Indicators:
- HTTP requests containing 'local_file:' in parameters or headers
SIEM Query:
source="*app.log*" AND "local_file"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://www.securityfocus.com/bid/107549
- https://access.redhat.com/errata/RHSA-2019:1700
- https://access.redhat.com/errata/RHSA-2019:2030
- https://access.redhat.com/errata/RHSA-2019:3335
- https://access.redhat.com/errata/RHSA-2019:3520
- https://bugs.python.org/issue35907
- https://github.com/python/cpython/pull/11842
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/
- https://seclists.org/bugtraq/2019/Oct/29
- https://security.gentoo.org/glsa/202003-26
- https://security.netapp.com/advisory/ntap-20190404-0004/
- https://usn.ubuntu.com/4127-1/
- https://usn.ubuntu.com/4127-2/
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://www.securityfocus.com/bid/107549
- https://access.redhat.com/errata/RHSA-2019:1700
- https://access.redhat.com/errata/RHSA-2019:2030
- https://access.redhat.com/errata/RHSA-2019:3335
- https://access.redhat.com/errata/RHSA-2019:3520
- https://bugs.python.org/issue35907
- https://github.com/python/cpython/pull/11842
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/
- https://seclists.org/bugtraq/2019/Oct/29
- https://security.gentoo.org/glsa/202003-26
- https://security.netapp.com/advisory/ntap-20190404-0004/
- https://usn.ubuntu.com/4127-1/
- https://usn.ubuntu.com/4127-2/
