CVE-2024-3651
📋 TL;DR
A denial-of-service vulnerability exists in the kjd/idna library's idna.encode() function where specially crafted input strings trigger quadratic computational complexity. This causes excessive processing time that can exhaust system resources and make services unresponsive. Any application using vulnerable versions of this library for Internationalized Domain Name processing is affected.
💻 Affected Systems
- kjd/idna library
- Applications using kjd/idna for IDN processing
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, potentially affecting multiple dependent services in a chain reaction.
Likely Case
Degraded performance and intermittent service disruptions when processing maliciously crafted domain names.
If Mitigated
Minimal impact with proper input validation and resource limits in place.
🎯 Exploit Status
Exploitation requires sending crafted input to the vulnerable function, which is straightforward for attackers. The bounty program references indicate active research.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
Vendor Advisory: https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
Restart Required: No
Instructions:
1. Update the idna library using pip: pip install --upgrade idna
2. Verify the installed version is 3.7 or higher
3. Restart any Python applications using the library
🔧 Temporary Workarounds
Input Validation and Length Limits
allImplement strict input validation and length limits on strings passed to idna.encode()
# Python example: validate input before encoding
if len(input_string) > 100:
raise ValueError('Input too long')
# Additional validation for allowed characters
Resource Limiting
linuxUse process/thread resource limits to prevent CPU exhaustion
# Linux: ulimit -t 30 # CPU time limit in seconds
# Container: docker run --cpus="1.0" ...
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all inputs to idna.encode() functions
- Deploy rate limiting and monitoring for abnormal CPU usage patterns
🔍 How to Verify
Check if Vulnerable:
Check Python environment for idna version 3.6: python -c "import idna; print(idna.__version__)"Check Version:
python -c "import idna; print('idna version:', idna.__version__)"Verify Fix Applied:
Verify idna version is 3.7 or higher and test with known malicious inputs📡 Detection & Monitoring
Log Indicators:
- Unusually long processing times for IDN encoding operations
- High CPU usage by Python processes calling idna functions
Network Indicators:
- Repeated requests with specially crafted domain names
- Traffic patterns targeting IDN processing endpoints
SIEM Query:
source="application.logs" AND ("idna.encode" OR "IDN processing") AND duration>5s🔗 References
- https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
- https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
- https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
- https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
- https://lists.debian.org/debian-lts-announce/2024/05/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4D/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43/
