CVE-2020-36242
Integer Overflow vulnerability in cryptography (PyPI)
What is CVE-2020-36242 About?
The `cryptography` package for Python, versions before 3.3.2, is vulnerable to an integer overflow during symmetrical encryption of multi-GB values. This can lead to a buffer overflow, potentially allowing for arbitrary code execution or denial of service. Exploiting this vulnerability requires sending very large data for encryption, making it somewhat complex.
Affected Software
Technical Details
In the cryptography package for Python, prior to version 3.3.2, a vulnerability exists related to integer overflow and subsequent buffer overflow when performing symmetrical encryption using certain sequences of update calls, particularly with multi-gigabyte values. This issue is demonstrated with the Fernet class. When large amounts of data are processed iteratively, an internal counter or index used for buffer management might exceed its maximum integer capacity, leading to an integer overflow. This overflow could result in incorrect memory calculations, causing a buffer to be written past its allocated boundaries (a buffer overflow). Such an overflow could lead to data corruption, denial of service, or potentially arbitrary code execution if the overwritten memory contains critical program control flow data.
What is the Impact of CVE-2020-36242?
Successful exploitation may allow attackers to cause data corruption, trigger a denial of service, or potentially achieve arbitrary code execution by overflowing a buffer.
What is the Exploitability of CVE-2020-36242?
Exploitation complexity is high. It requires an attacker to be able to provide extremely large (multi-GB) inputs to symmetric encryption functions within the vulnerable cryptography library. No authentication or specific user privileges are required at the point of exploitation itself, but the attacker must have the ability to supply the massive data through an application-level interface. This is typically a remote attack if the application processes large untrusted data for encryption, but it could also be local if an attacker has system access to interact with such an application. The primary prerequisite is that the application uses a vulnerable version of the library and attempts to encrypt exceptionally large data chunks from an untrusted source without proper size validation. The risk factor is elevated in scenarios where large files are symmetrically encrypted based on user input or external data streams.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36242?
Available Upgrade Options
- cryptography
- >3.1, <3.3.2 → Upgrade to 3.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
- https://github.com/advisories/GHSA-rhm9-p9w5-fwm7
- https://github.com/pyca/cryptography/issues/5615
- https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/pyca/cryptography
- https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
- https://github.com/pyca/cryptography/issues/5615
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E
- https://www.oracle.com/security-alerts/cpuapr2022.html
What are Similar Vulnerabilities to CVE-2020-36242?
Similar Vulnerabilities: CVE-2016-7056 , CVE-2017-1000381 , CVE-2017-1000382 , CVE-2018-1000654 , CVE-2019-1010174
