Python up to 3.4.2 Lib/os.py os._get_masked_mode race condition

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
4.9$0-$5k0.00

A vulnerability, which was classified as problematic, has been found in Python (Programming Language Software). Affected by this issue is the function os._get_masked_mode in the library Lib/os.py. The manipulation with an unknown input leads to a race condition vulnerability. Using CWE to declare the problem leads to CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Impacted is confidentiality, integrity, and availability.

The weakness was published 03/28/2014 by Ryan Lortie as Issue 21082 as confirmed bug report (Bug Tracker). The advisory is available at bugs.python.org. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2014-2667 since 03/26/2014. The exploitation is known to be difficult. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a private exploit are known. The following code is the reason for this vulnerability: 

mask = umask(0)

A private exploit has been developed by Ryan Lortie. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 75344 (openSUSE Security Update : python3 (openSUSE-SU-2014:0596-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 123131 (Fedora Security Update for python3 (FEDORA-2014-16479)). The advisory illustrates:

This is not theoretical: I discovered this bug by observing it happen.

Applying the patch Issue 21082 is able to eliminate this problem. The bugfix is ready for download at bugs.python.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:

mask = umask(0o022)
The bug report contains the following remark:
Setting the umask changes it process-wide and so affect other threads, but there is no other way to get the current umask. Use 022 because this mask is the usual default.

The vulnerability is also documented in the databases at X-Force (92179) and Tenable (75344).

Productinfo

Type

Name

Version

License

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB CVSS-B Score: 🔍
VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 5.6
VulDB Meta Temp Score: 4.9

VulDB Base Score: 5.6
VulDB Temp Score: 4.9
VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

NVD Base Score: 🔍

Exploitinginfo

Class: Race condition
CWE: CWE-362
CAPEC: 🔍
ATT&CK: 🔍

Local: No
Remote: Yes

Availability: 🔍
Access: Private
Status: Proof-of-Concept
Author: Ryan Lortie

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-Dayunlockunlockunlockunlock
Todayunlockunlockunlockunlock

Nessus ID: 75344
Nessus Name: openSUSE Security Update : python3 (openSUSE-SU-2014:0596-1)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍

OpenVAS ID: 105007
OpenVAS Name: Fedora Update for python3 FEDORA-2014-16393
OpenVAS File: 🔍
OpenVAS Family: 🔍

Qualys ID: 🔍
Qualys Name: 🔍

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Patch
Status: 🔍

Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍

Patch: Issue 21082

Timelineinfo

03/26/2014 🔍
03/28/2014 +2 days 🔍
03/28/2014 +0 days 🔍
03/28/2014 +0 days 🔍
03/28/2014 +0 days 🔍
03/28/2014 +0 days 🔍
03/28/2014 +0 days 🔍
03/29/2014 +1 days 🔍
06/13/2014 +76 days 🔍
06/17/2014 +4 days 🔍
11/15/2014 +151 days 🔍
06/16/2021 +2405 days 🔍

Sourcesinfo

Advisory: Issue 21082
Researcher: Ryan Lortie
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍

CVE: CVE-2014-2667 (🔍)
X-Force: 92179 - Python get_masked_mode() information disclosure, Low Risk
SecurityTracker: 1029974 - Python _get_masked_mode() File Permission Flaw Lets Local Users Gain Elevated Privileges
Vulnerability Center: 45018 - Python 3.2 - 3.4 Local Information Disclosure in Os._get_masked_mode Function, Low
SecurityFocus: 66521 - python 'os._get_masked_mode()' Function Local Race Condition Vulnerability
Secunia: 57672 - Python "os._get_masked_mode()" Race Condition Security Issue, Not Critical

scip Labs: https://www.scip.ch/en/?labs.20161013

Entryinfo

Created: 03/28/2014 15:53
Updated: 06/16/2021 09:49
Changes: 03/28/2014 15:53 (87), 05/31/2017 08:48 (10), 06/16/2021 09:44 (3), 06/16/2021 09:49 (1)
Complete: 🔍

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!