CGA-f4qg-9fw4-8247
Denial of Service vulnerability in cryptography (PyPI)
What is CGA-f4qg-9fw4-8247 About?
This vulnerability in `cryptography` can cause a NULL pointer dereference, crashing the Python process, when `pkcs12.serialize_key_and_certificates` is called with misaligned public/private keys and a specific encryption algorithm. This leads to a denial of service. Exploitation requires specific malformed input to the API.
Affected Software
- cryptography
- <97d231672763cdb5959a3b191e692a362f1b9e55
- >38.0.0, <42.0.4
Technical Details
The vulnerability occurs within the cryptography library when the pkcs12.serialize_key_and_certificates function is invoked under specific conditions. A NULL pointer dereference is triggered if two criteria are met simultaneously: first, a certificate is provided whose public key does not match the associated private key; and second, the encryption_algorithm specified has hmac_hash set (e.g., via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)). This combination of mismatched cryptographic components and a specific hashing configuration leads to an invalid memory access, causing the Python process to crash. The attack vector involves supplying these malformed inputs programmatically to the affected function.
What is the Impact of CGA-f4qg-9fw4-8247?
Successful exploitation may allow attackers to crash applications or services that utilize the vulnerable cryptography library, leading to a denial of service and disrupting system availability.
What is the Exploitability of CGA-f4qg-9fw4-8247?
Exploitation of this vulnerability requires an attacker to be able to control or manipulate the input arguments passed to the pkcs12.serialize_key_and_certificates function within an application using the cryptography library. This is typically a local exploitation scenario, as it involves interaction with the application's code. The complexity is moderate, requiring specific knowledge of the cryptographic API and how to craft inputs that meet the two problematic conditions (mismatched keys and specific hmac_hash setting). No specific authentication or elevated privileges are typically required for invoking the relevant function, assuming the attacker has sufficient access to interact with the application. The likelihood of exploitation increases in applications that process untrusted cryptographic certificates or keys, or applications that might have bugs generating these key pairs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-f4qg-9fw4-8247?
Available Upgrade Options
- cryptography
- <97d231672763cdb5959a3b191e692a362f1b9e55 → Upgrade to 97d231672763cdb5959a3b191e692a362f1b9e55
- cryptography
- >38.0.0, <42.0.4 → Upgrade to 42.0.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pyca/cryptography
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
- https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
- https://github.com/pyca/cryptography/pull/10423
- https://osv.dev/vulnerability/PYSEC-2024-225
- https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
- https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
- https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
- https://osv.dev/vulnerability/GHSA-6vqw-3v5j-54x4
- https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
What are Similar Vulnerabilities to CGA-f4qg-9fw4-8247?
Similar Vulnerabilities: CVE-2023-23916 , CVE-2022-21724 , CVE-2021-4149 , CVE-2020-36242 , CVE-2019-13057
