CVE-2020-36242
📋 TL;DR
This vulnerability in Python's cryptography package allows integer overflow and buffer overflow when encrypting multi-gigabyte values using symmetric encryption like Fernet. Attackers could potentially execute arbitrary code or cause denial of service. Affects Python applications using cryptography package for symmetric encryption of large data.
💻 Affected Systems
- Python cryptography package
📦 What is this software?
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Cryptography by Cryptography.io
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service through application crashes or memory corruption, potentially exposing sensitive data.
If Mitigated
Limited impact if encryption is restricted to smaller data sizes or proper input validation is implemented.
🎯 Exploit Status
Exploitation requires specific sequences of update calls with multi-GB data, making automated exploitation possible but requiring understanding of the encryption flow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.2 and later
Vendor Advisory: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Restart Required: Yes
Instructions:
1. Update cryptography package: pip install --upgrade cryptography>=3.3.2
2. Restart all Python applications/services using the package
3. Verify no dependencies pin older vulnerable versions
🔧 Temporary Workarounds
Limit encryption data size
allImplement input validation to reject encryption requests exceeding safe size limits (e.g., < 1GB).
# Python code example: if data_size > 1073741824: raise ValueError('Data too large for encryption')
🧯 If You Can't Patch
- Implement strict input validation to prevent multi-GB encryption operations
- Isolate vulnerable applications in network segments with limited access
🔍 How to Verify
Check if Vulnerable:
Check cryptography version: python -c "import cryptography; print(cryptography.__version__)" and compare to 3.3.2Check Version:
python -c "import cryptography; print('cryptography version:', cryptography.__version__)"Verify Fix Applied:
Confirm version is 3.3.2 or higher and test encryption with large data samples📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory corruption errors
- Unusually large encryption requests in application logs
Network Indicators:
- Large encrypted payloads to encryption endpoints
- Repeated failed encryption attempts with varying sizes
SIEM Query:
source=application_logs ("cryptography" AND ("overflow" OR "segmentation fault" OR "memory error")) OR ("encrypt" AND size>1000000000)🔗 References
- https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
- https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
- https://github.com/pyca/cryptography/issues/5615
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
- https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
- https://github.com/pyca/cryptography/issues/5615
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
