CVE-2021-3177
📋 TL;DR
This is a buffer overflow vulnerability in Python's ctypes module that could allow remote code execution. It affects Python applications that process untrusted floating-point numbers through ctypes. The vulnerability exists in Python 3.x through 3.9.1.
💻 Affected Systems
- Python
- Applications using Python ctypes module
📦 What is this software?
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Fedora by Fedoraproject
Fedora by Fedoraproject
Ontap Select Deploy Administration Utility by Netapp
View all CVEs affecting Ontap Select Deploy Administration Utility →
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the Python process, potentially leading to complete system compromise.
Likely Case
Application crash (denial of service) or limited code execution depending on application context and exploit sophistication.
If Mitigated
No impact if patched or if application doesn't use ctypes with untrusted floating-point input.
🎯 Exploit Status
Proof of concept demonstrates triggering the overflow with 1e300 argument. Exploitation requires specific application context.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 3.9.2 and later
Vendor Advisory: https://bugs.python.org/issue42938
Restart Required: Yes
Instructions:
1. Upgrade Python to version 3.9.2 or later. 2. Restart all Python applications and services. 3. For embedded systems, update Python runtime.
🔧 Temporary Workarounds
Input validation
allValidate and sanitize floating-point inputs before passing to ctypes functions
Disable vulnerable functionality
allAvoid using c_double.from_param with untrusted input
🧯 If You Can't Patch
- Implement strict input validation for floating-point numbers in applications using ctypes
- Use application firewalls or WAFs to filter suspicious floating-point inputs
🔍 How to Verify
Check if Vulnerable:
Check Python version with 'python --version' or 'python3 --version'. If version is 3.x through 3.9.1, system is vulnerable.Check Version:
python --versionVerify Fix Applied:
After patching, verify Python version is 3.9.2 or later. Test ctypes functionality with sample applications.📡 Detection & Monitoring
Log Indicators:
- Python application crashes with segmentation faults
- Unexpected process termination in Python services
Network Indicators:
- Unusual network connections from Python processes
- Traffic containing very large floating-point numbers
SIEM Query:
Process:python AND (EventID:1000 OR EventID:1001) OR Process:python AND (ExceptionCode:c0000005 OR ExceptionCode:c0000409)🔗 References
- https://bugs.python.org/issue42938
- https://github.com/python/cpython/pull/24239
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html
- https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/
- https://news.ycombinator.com/item?id=26185005
- https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
- https://security.gentoo.org/glsa/202101-18
- https://security.netapp.com/advisory/ntap-20210226-0003/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugs.python.org/issue42938
- https://github.com/python/cpython/pull/24239
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html
- https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/
- https://news.ycombinator.com/item?id=26185005
- https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
- https://security.gentoo.org/glsa/202101-18
- https://security.netapp.com/advisory/ntap-20210226-0003/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
