Python up to 3.4.2 Lib/os.py os._get_masked_mode race condition
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
4.9 | $0-$5k | 0.00 |
A vulnerability, which was classified as problematic, has been found in Python (Programming Language Software). Affected by this issue is the function os._get_masked_mode
in the library Lib/os.py. The manipulation with an unknown input leads to a race condition vulnerability. Using CWE to declare the problem leads to CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Impacted is confidentiality, integrity, and availability.
The weakness was published 03/28/2014 by Ryan Lortie as Issue 21082 as confirmed bug report (Bug Tracker). The advisory is available at bugs.python.org. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2014-2667 since 03/26/2014. The exploitation is known to be difficult. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a private exploit are known. The following code is the reason for this vulnerability:
mask = umask(0)
A private exploit has been developed by Ryan Lortie. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 75344 (openSUSE Security Update : python3 (openSUSE-SU-2014:0596-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 123131 (Fedora Security Update for python3 (FEDORA-2014-16479)). The advisory illustrates:
This is not theoretical: I discovered this bug by observing it happen.
Applying the patch Issue 21082 is able to eliminate this problem. The bugfix is ready for download at bugs.python.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:
mask = umask(0o022)The bug report contains the following remark:
Setting the umask changes it process-wide and so affect other threads, but there is no other way to get the current umask. Use 022 because this mask is the usual default.
The vulnerability is also documented in the databases at X-Force (92179) and Tenable (75344).
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.6VulDB Meta Temp Score: 4.9
VulDB Base Score: 5.6
VulDB Temp Score: 4.9
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Race conditionCWE: CWE-362
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Private
Status: Proof-of-Concept
Author: Ryan Lortie
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 75344
Nessus Name: openSUSE Security Update : python3 (openSUSE-SU-2014:0596-1)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 105007
OpenVAS Name: Fedora Update for python3 FEDORA-2014-16393
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: Issue 21082
Timeline
03/26/2014 🔍03/28/2014 🔍
03/28/2014 🔍
03/28/2014 🔍
03/28/2014 🔍
03/28/2014 🔍
03/28/2014 🔍
03/29/2014 🔍
06/13/2014 🔍
06/17/2014 🔍
11/15/2014 🔍
06/16/2021 🔍
Sources
Advisory: Issue 21082Researcher: Ryan Lortie
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2014-2667 (🔍)
X-Force: 92179 - Python get_masked_mode() information disclosure, Low Risk
SecurityTracker: 1029974 - Python _get_masked_mode() File Permission Flaw Lets Local Users Gain Elevated Privileges
Vulnerability Center: 45018 - Python 3.2 - 3.4 Local Information Disclosure in Os._get_masked_mode Function, Low
SecurityFocus: 66521 - python 'os._get_masked_mode()' Function Local Race Condition Vulnerability
Secunia: 57672 - Python "os._get_masked_mode()" Race Condition Security Issue, Not Critical
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 03/28/2014 15:53Updated: 06/16/2021 09:49
Changes: 03/28/2014 15:53 (87), 05/31/2017 08:48 (10), 06/16/2021 09:44 (3), 06/16/2021 09:49 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.