CVE-2024-39689
📋 TL;DR
This CVE involves the removal of GLOBALTRUST root certificates from the certifi Python package due to compliance issues. Systems using affected certifi versions may trust certificates issued by GLOBALTRUST, potentially allowing man-in-the-middle attacks or spoofing of TLS connections. Any Python application using certifi for TLS certificate validation is affected.
💻 Affected Systems
- certifi Python package
📦 What is this software?
Certifi by Certifi
Management Services For Element Software And Netapp Hci by Netapp
View all CVEs affecting Management Services For Element Software And Netapp Hci →
⚠️ Risk & Real-World Impact
Worst Case
Attackers could perform man-in-the-middle attacks, intercepting and decrypting sensitive data in transit, or spoof legitimate websites and services.
Likely Case
Reduced trust in certificate validation, potentially allowing connections to malicious sites that appear legitimate due to GLOBALTRUST-issued certificates.
If Mitigated
Minimal impact if systems are patched or use additional certificate pinning/validation mechanisms.
🎯 Exploit Status
Exploitation would require control of a GLOBALTRUST-issued certificate or compromise of GLOBALTRUST infrastructure, which is being removed from trust stores.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.7.4
Vendor Advisory: https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc
Restart Required: No
Instructions:
1. Update certifi package: pip install --upgrade certifi==2024.7.4
2. Verify the update: pip show certifi
3. Restart any Python applications using certifi to ensure they load the updated certificate store.
🔧 Temporary Workarounds
Manual certificate store update
allManually remove GLOBALTRUST certificates from the certifi certificate store file
# Backup current certifi store
cp $(python -m certifi) $(python -m certifi).bak
# Edit the file to remove GLOBALTRUST entries
# The exact location varies by system
🧯 If You Can't Patch
- Implement certificate pinning for critical connections
- Use alternative certificate validation mechanisms or custom certificate stores
🔍 How to Verify
Check if Vulnerable:
Check certifi version: pip show certifi | grep Version
If version is between 2021.5.30 and 2024.7.4 (exclusive), system is vulnerable.Check Version:
pip show certifi | grep VersionVerify Fix Applied:
Verify certifi version is 2024.7.4 or later: pip show certifi | grep Version
Check that GLOBALTRUST certificates are not present in the certifi store.📡 Detection & Monitoring
Log Indicators:
- TLS handshake failures with GLOBALTRUST certificates
- Certificate validation warnings mentioning GLOBALTRUST
Network Indicators:
- Connections using GLOBALTRUST-issued certificates
- Unexpected certificate authorities in TLS negotiations
SIEM Query:
source="*" ("GLOBALTRUST" OR "certifi") AND ("certificate" OR "TLS" OR "SSL")🔗 References
- https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463
- https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI
- https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463
- https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI
- https://security.netapp.com/advisory/ntap-20241206-0001/
