CVE-2023-37920
📋 TL;DR
This vulnerability affects systems using certifi Python package versions before 2023.07.22, which included compromised e-Tugra root certificates. Attackers could perform man-in-the-middle attacks or spoof TLS connections by leveraging these untrustworthy certificates. Any Python application using certifi for SSL/TLS certificate validation is potentially affected.
💻 Affected Systems
- certifi Python package
- Any Python application using certifi for SSL/TLS validation
📦 What is this software?
Certifi by Certifi
Fedora by Fedoraproject
Management Services For Element Software by Netapp
View all CVEs affecting Management Services For Element Software →
Management Services For Netapp Hci by Netapp
View all CVEs affecting Management Services For Netapp Hci →
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept and decrypt encrypted communications, impersonate legitimate services, or bypass TLS certificate validation entirely, leading to data theft, credential compromise, or malware injection.
Likely Case
Targeted attacks against specific organizations or users where attackers can leverage the compromised certificates to intercept sensitive communications or spoof trusted services.
If Mitigated
With proper network segmentation, certificate pinning, and monitoring, the impact is limited to potential interception of specific TLS connections using e-Tugra certificates.
🎯 Exploit Status
Exploitation requires the attacker to control network traffic or present spoofed certificates. The vulnerability is in the trust store itself, not in application code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.07.22
Vendor Advisory: https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
Restart Required: No
Instructions:
1. Update certifi package: pip install --upgrade certifi==2023.07.22
2. Verify the update: pip show certifi
3. Restart any running Python applications to load the updated certificate store.
🔧 Temporary Workarounds
Manual certificate removal
linuxManually remove e-Tugra certificates from the certifi certificate bundle
sed -i '/e-Tugra/d' $(python -m certifi)
Use alternative certificate store
linuxConfigure Python applications to use system certificate store instead of certifi
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
🧯 If You Can't Patch
- Implement certificate pinning for critical services to bypass certifi validation
- Monitor network traffic for unexpected certificate authorities or e-Tugra certificate usage
🔍 How to Verify
Check if Vulnerable:
Check certifi version: pip show certifi | grep Version. If version is earlier than 2023.07.22, the system is vulnerable.Check Version:
pip show certifi | grep VersionVerify Fix Applied:
Verify certifi version is 2023.07.22 or later and check that e-Tugra certificates are not present: grep -i 'e-tugra' $(python -m certifi) should return no results.📡 Detection & Monitoring
Log Indicators:
- TLS handshake failures with e-Tugra certificates
- Unexpected certificate authority in SSL/TLS connections
Network Indicators:
- TLS connections using e-Tugra root certificates
- Certificate transparency logs showing e-Tugra certificate usage
SIEM Query:
source="*ssl*" AND ("e-Tugra" OR "eTugra" OR "ETUGRA")🔗 References
- https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
- https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/
- https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
- https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/
- https://security.netapp.com/advisory/ntap-20240912-0002/
