Bug 1809065 (CVE-2020-8492) - CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
Summary: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthH...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8492
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1809066 1809067 1809068 1809069 1809071 1809072 1809073 1809074 Engineering1810615 Engineering1810616 Engineering1810617 Engineering1810618 Engineering1810619 Engineering1810620 Engineering1810621 Engineering1810622 Engineering1810623
Blocks: Embargoed1809083 1827852
TreeView+ depends on / blocked
 
Reported: 2020-03-02 11:36 UTC by Marian Rehak
Modified: 2021-08-06 01:20 UTC (History)
22 users (show)

Fixed In Version: python 3.8.3
Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption vulnerability was discovered in python in the class AbstractBasicAuthHandler, due to the kind of regular expression used while handling an authentication request in the http_error_auth_reqed method. Client applications that use, directly or indirectly, AbstractBasicAuthHandler to connect to a malicious server may be vulnerable to this flaw, which would cause an uncontrolled use of CPU resources on the victim's system, resulting in a Denial of Service.
Clone Of:
Environment:
Last Closed: 2020-09-29 21:59:54 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3888 0 None None None 2020-09-29 19:36:46 UTC
Red Hat Product Errata RHSA-2020:4285 0 None None None 2020-10-19 18:05:40 UTC
Red Hat Product Errata RHSA-2020:4433 0 None None None 2020-11-04 00:51:36 UTC
Red Hat Product Errata RHSA-2020:4641 0 None None None 2020-11-04 02:35:51 UTC

Internal Links: 1827852

Description Marian Rehak 2020-03-02 11:36:24 UTC 
Multiple python versions allow an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Upstream Issue:

https://bugs.python.org/issue39503
Comment 1 Marian Rehak 2020-03-02 11:37:34 UTC 
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1809067]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1809073]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1809068]
Affects: fedora-all [bug 1809072]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1809069]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1809066]
Affects: fedora-all [bug 1809071]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1809074]
Comment 2 Riccardo Schirone 2020-03-05 11:58:58 UTC 
Upstream proposed PR:
https://github.com/python/cpython/pull/18284
Comment 3 Riccardo Schirone 2020-03-05 14:02:53 UTC 
The attack scenario is an attacker, in control of a server, who tries to conduct a Denial of Service attack against a victim client that uses a vulnerable python version. Due to expensive regular expression in AbstractBasicAuthHandler, when the client receives specially crafted responses from a server it may use all the CPU to match the regular expression.

This flaw affects python applications that use AbstractBasicAuthHandler, either directly or indirectly (e.g. including HTTPBasicAuthHandler and ProxyBasicAuthHandler).
Comment 4 Riccardo Schirone 2020-03-05 14:07:49 UTC 
Lowering the Impact of the flaw to Moderate because the attacker needs to perform the attack from a server to a vulnerable client. Thus a client, to be affected, should first connect to either an untrusted server or to a trusted server that was compromised.
Comment 6 Riccardo Schirone 2020-03-05 14:31:57 UTC 
Another upstream issue (probably a duplicate):
https://bugs.python.org/issue38826
Comment 8 Riccardo Schirone 2020-03-05 14:38:59 UTC 
Class AbstractBasicAuthHandler uses a particular regular expression with overlapping characters and nested quantifiers which results in a lot of backtracking on some particular subjects. Backtracking requires the regular expression engine to enumerate all possible solutions, which makes the operation very expensive as it has an exponential cost. For this reason, when a malicious server sends a specially crafted 401 response, the client will take a very long time to parse the request, causing a Denial of Service in some applications.
Comment 10 Riccardo Schirone 2020-03-05 15:37:20 UTC 
Statement:

Applications that use AbstractBasicAuthHandler, HTTPBasicAuthHandler and ProxyBasicAuthHandler may be affected by this flaw. Other classes may use the vulnerable method http_error_auth_reqed in AbstractBasicAuthHandler as well.

Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as notaffected as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
Comment 11 Riccardo Schirone 2020-04-02 07:11:17 UTC 
Upstream fix:
https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4
Comment 13 Fedora Update System 2020-05-29 02:26:30 UTC 
FEDORA-2020-6a88dad4a0 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 14 Fedora Update System 2020-07-04 01:12:24 UTC 
FEDORA-2020-8bdd3fd7a4 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 15 Fedora Update System 2020-07-10 01:01:04 UTC 
FEDORA-2020-ea5bdbcc90 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2020-09-29 19:36:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3888 https://access.redhat.com/errata/RHSA-2020:3888
Comment 17 Product Security DevOps Team 2020-09-29 21:59:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8492
Comment 20 errata-xmlrpc 2020-10-19 18:05:49 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
Comment 21 errata-xmlrpc 2020-11-04 00:51:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433
Comment 22 errata-xmlrpc 2020-11-04 02:35:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641
Note You need to log in before you can comment on or make changes to this bug.