CVE-2023-37920
Security issues vulnerability in certifi (PyPI)
What is CVE-2023-37920 About?
This vulnerability involves Certifi 2023.07.22 removing root certificates from 'e-Tugra' due to reported security issues in their systems. The impact is a potential disruption in trust chains for applications relying on these certificates, leading to connection failures for services using e-Tugra certificates. This is not directly exploitable by an attacker but rather a corrective action addressing underlying security weaknesses.
Affected Software
Technical Details
Certifi 2023.07.22 has removed root certificates belonging to 'e-Tugra' from its trust store. This action was taken based on an investigation prompted by reports of security issues detected within e-Tugra's systems. The removal aligns with similar actions being undertaken by Mozilla for their own trust store. The technical mechanism is a direct modification of the certificate bundle that Certifi provides, effectively distrusting any certificates issued by e-Tugra. Applications configured to use Certifi as their source of trusted root certificates will, upon updating, no longer validate TLS/SSL connections to endpoints that present certificates from the e-Tugra hierarchy, potentially causing connection failures or security warnings. This is not an attack vector but a defensive measure against potential compromise of the e-Tugra CA system.
What is the Impact of CVE-2023-37920?
Successful exploitation may allow attackers to intercept or impersonate communications if a Certificate Authority is compromised, although this CVE specifically addresses the removal of a problematic CA to prevent such scenarios.
What is the Exploitability of CVE-2023-37920?
This is not an exploitable vulnerability in the traditional sense, but rather a correction for underlying security issues related to a Certificate Authority. Therefore, there is no direct exploitation complexity, authentication, privilege, or access requirements for external attackers. The 'exploit' here refers to a historical compromise or weakness in the e-Tugra CA that led to its distrust. The risk factor lies in applications that were previously trusting e-Tugra certificates potentially failing to establish secure connections after the Certifi update, or, conversely, continuing to use an outdated Certifi version and thus remaining vulnerable to potential abuses related to the compromised CA.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-37920?
About the Fix from Resolved Security
This patch removes the Hongkong Post Root CA 1 and E-Tugra Certification Authority root certificates from the trusted CA bundle and adds tests to ensure their absence, specifically addressing CVE-2023-37920. By removing these compromised or no longer trusted root certificates, the patch prevents potential exploitation arising from their inclusion, thus fixing the vulnerability.
Available Upgrade Options
- certifi
- >2015.4.28, <2023.7.22 → Upgrade to 2023.7.22
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2023-135.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2023-37920
- https://security.netapp.com/advisory/ntap-20240912-0002
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
- https://security.netapp.com/advisory/ntap-20240912-0002/
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/
- https://github.com/certifi/python-certifi
- https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
- https://osv.dev/vulnerability/GHSA-xqr8-7jwr-rhp7
What are Similar Vulnerabilities to CVE-2023-37920?
Similar Vulnerabilities: CVE-2023-28491 , CVE-2021-3729 , CVE-2020-0551 , CVE-2018-8098 , CVE-2017-15229
