CVE-2024-26130 in cryptographyinfo

Summary

by MITRE • 02/21/2024

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/06/2025

The vulnerability identified as CVE-2024-26130 affects the cryptography Python package, specifically targeting version 38.0.0 through 42.0.3 where a critical NULL pointer dereference occurs during PKCS#12 certificate serialization. This flaw exists within the `pkcs12.serialize_key_and_certificates` function when processing certificate-key pairs where the public key does not match the provided private key, combined with HMAC hash encryption configuration. The issue represents a classic software security vulnerability that can be exploited to cause denial of service through process termination, making it particularly concerning for applications that rely on secure cryptographic operations.

The technical root cause of this vulnerability stems from improper input validation and error handling within the cryptographic library's PKCS#12 serialization mechanism. When developers call the serialization function with mismatched certificate and private key components alongside HMAC hash encryption parameters, the underlying code fails to properly validate the cryptographic consistency before attempting to dereference memory pointers. This NULL pointer dereference represents a fundamental flaw in the software's defensive programming practices, as it does not adequately protect against malformed input conditions that should be rejected rather than processed. The vulnerability aligns with CWE-476 which specifically addresses NULL pointer dereferences, and demonstrates poor error handling that violates secure coding principles.

The operational impact of this vulnerability extends beyond simple denial of service, as it can be exploited by malicious actors to disrupt cryptographic services that depend on the cryptography package. Applications using this library for certificate management, secure communications, or cryptographic operations may experience unexpected crashes when processing improperly configured PKCS#12 files. The vulnerability affects systems where Python applications perform certificate serialization tasks, particularly in environments handling sensitive data or implementing security protocols. The fact that this issue was present across multiple versions indicates a prolonged period of exposure, potentially allowing attackers to develop exploitation techniques that could be used in broader attack campaigns targeting systems using vulnerable cryptography libraries.

Mitigation strategies for this vulnerability require immediate deployment of cryptography package version 42.0.4 or later, which properly raises a ValueError instead of allowing the NULL pointer dereference to occur. Organizations should conduct comprehensive vulnerability assessments to identify all systems using affected versions of the cryptography package and implement patch management procedures to ensure timely updates. Security teams should monitor for potential exploitation attempts targeting this specific vulnerability, as the denial of service aspect makes it attractive for attackers seeking to disrupt services. Additionally, developers should review their code implementations to ensure proper error handling for cryptographic operations and consider implementing additional input validation layers to prevent similar issues in custom cryptographic implementations. The fix implemented in version 42.0.4 represents a proper defensive programming approach that aligns with ATT&CK technique T1499.004 for resource hijacking through denial of service, by preventing the crash condition rather than attempting to recover from it.

Responsible

GitHub, Inc.

Reservation

02/14/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00831

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!