CVE-2024-3219 in CPython
Summary
by MITRE • 07/30/2024
There is a MEDIUM severity vulnerability affecting CPython.
The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer.
Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/12/2024
The vulnerability identified as CVE-2024-3219 represents a medium severity issue within the CPython implementation that affects the socket module's fallback mechanism for platforms lacking native AF_UNIX support. This flaw specifically impacts Windows systems and other platforms that must rely on the pure-Python implementation of socket.socketpair() instead of the native system call. The vulnerability stems from an insufficient verification process during socket connection establishment, creating a window of opportunity for malicious actors to exploit the system's networking stack.
The technical implementation flaw resides in the pure-Python fallback code that utilizes AF_INET or AF_INET6 families to create local socket pairs when AF_UNIX is unavailable. This approach creates a fundamental security gap because the implementation fails to verify that the connection between the two socket endpoints is legitimate and established by the same process that initiated the socketpair() call. The lack of proper connection validation means that a malicious local peer could potentially intercept or manipulate the connection before it reaches the intended recipient, creating a race condition vulnerability that undermines the expected security properties of the socketpair() function.
The operational impact of this vulnerability extends beyond simple network communication issues as it affects the integrity of local inter-process communication mechanisms that depend on socketpair() for secure local socket creation. Systems running affected CPython versions on Windows platforms become susceptible to local privilege escalation attacks, where malicious processes could potentially establish unauthorized connections to services or applications that rely on socketpair() for secure communication. This vulnerability particularly affects applications that use socketpair() for creating secure local communication channels, including system daemons, containerized applications, and any software that depends on the socket module's ability to create reliable local socket pairs.
Security practitioners should recognize this vulnerability through the CWE-362 weakness classification, which addresses "Concurrent Execution using Shared Resource with Improper Synchronization" and the CWE-284 weakness related to "Improper Access Control." The vulnerability also maps to ATT&CK technique T1068, which involves "Exploitation for Privilege Escalation," as local attackers could potentially leverage this race condition to gain elevated privileges. Organizations running CPython applications on Windows systems should prioritize patching affected versions, particularly those between Python 3.5 and 3.11, as these versions contain the vulnerable socketpair() fallback implementation. The mitigation strategy includes upgrading to CPython 3.12 or later where the socketpair() implementation has been corrected to properly validate connections, or implementing additional network-level security controls to monitor and restrict local socket communication patterns.
The vulnerability demonstrates how pure-Python implementations can introduce security gaps that don't exist in their native counterparts, highlighting the importance of thorough security review for all code paths, particularly those involving system-level operations. Platforms that natively support AF_UNIX such as Linux and macOS remain unaffected by this specific issue, but organizations using cross-platform Python applications must ensure consistent security posture across all target environments. This vulnerability serves as a reminder of the critical need for proper socket connection validation and the potential security implications of fallback implementations that don't fully replicate the security guarantees of native system calls. The affected versions include CPython 3.5 through 3.11, with the issue being resolved in CPython 3.12 and subsequent releases through improved socketpair() implementation that properly validates socket connections before returning them to the calling application.