OpenSSL vulnerability CVE-2024-2511

[McHill007]

Bug report

Bug description:

Description

Defender on Windows is detecting openssl vulnerabilities when python is installed.
Tested for Windows Python 3.11.9 and 3.12.15.
Defender is flagging vulnerabilities in the following files in Version 3.0.13:

C:\Python\DLLs\libcrypto-3.dll
C:\Python\DLLs\libssl-3.dll

CVE-2024-2511
OpenSSL Changelog

Latest OPENSSL Version with fix:
3.0.14 [4 Jun 2024]

Impact

Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.

Python versions tested

3.11.9 Windows
3.12.15 WIndows

CPython versions tested on:

3.11, 3.12

Operating systems tested on:

Windows

Linked PRs

• gh-123418: Update OpenSSL to 3.0.15 on Windows #123673
• gh-123418: Update CI to use fresh OpenSSL releases #123675
• gh-123418: Update macOS installer to use OpenSSL 3.0.15 #123684
• gh-123418: Update Android build to use OpenSSL 3.0.15 #123685
• [3.13] gh-123418: Update OpenSSL to 3.0.15 on Windows (GH-123673) #123686
• [3.12] gh-123418: Update OpenSSL to 3.0.15 on Windows (GH-123673) #123691
• [3.11] gh-123418: Update OpenSSL to 3.0.15 on Windows (GH-123673) #123692
• [3.13] gh-123418: Update CI to use fresh OpenSSL releases (GH-123675) #123696
• [3.12] gh-123418: Update CI to use fresh OpenSSL releases (GH-123675) #123698
• [3.11] gh-123418: Update CI to use fresh OpenSSL releases (GH-123675) #123699
• [3.13] gh-123418: Update Android build to use OpenSSL 3.0.15 (GH-123685) #123715
• [3.13] gh-123418: Update macOS installer to use OpenSSL 3.0.15 (GH-123684) #123729
• [3.12] gh-123418: Update macOS installer to use OpenSSL 3.0.15 (GH-123684) #123730

[Wulian233]

We need upgrade Windows Installer openSSL to 3.0.14.
CC: @zooba

[zware]

There's a 3.0.15 pending for CVE-2024-2511CVE-2024-5535¹, we might wait for that. It's not obvious that Python is made vulnerable by any of the relevant OpenSSL issues, so I don't think there's any rush (but please correct me if I'm wrong :) ).

Footnotes

1. thanks Steve :) ↩

[zooba]

I assume you meant CVE-2024-5535 for 3.0.15, and it does look like we expose that functionality (though most likely in the vulnerable case it's only going to leak static memory and not secrets). But we should probably wait for that one.

I've already done a 3.0.14 build though, so if someone really wants to push a PR to use it then they'll be able to (shortly, after I push the binaries). I see no reason to trigger a round of releases yet though.

[zware]

I assume you meant CVE-2024-5535 for 3.0.15

Copied from the wrong place :(

We do use SSL_select_next_proto, but AFAICT from the description (which is not completely clear to me), we're using it in a non-vulnerable way (though maybe we make it available enough for an application to use it wrong?).

Either way, I agree that we don't need to trigger releases, but we should be sure to include 3.0.15 in our next releases. Setting release-blocker to that end, but I'm not sure that it will be available for 3.13.0rc2 next week.

[McHill007]

Seems like Version 3.0.15 is released.
https://openssl-library.org/news/openssl-3.0-notes/
Should I open a new issue?

[zware]

Should I open a new issue?

No need, this one is fine :)

[McHill007]

No need, this one is fine :)

Great. Is there a plan when the new release with the new openssl version will be available?

[zware]

There are expected to be a round of security releases this Friday, 6Sep24. The OpenSSL update for Windows should be in 3.13.0rc2 and 3.12.6; 3.11 no longer gets binary releases, but we may backport the update anyway for anyone who builds their own. 3.10 and before are out of scope for this issue.

[McHill007]

... 3.11 no longer gets binary releases ....

If I'm not mistaken, the OpenSSL binaries are only added as binaries in the MSI setup. There shouldn't be a need for code changes, right? Wouldn't it be sufficient to just replace the DLLs libssl-3.dll and libcrypto-3.dll on the vulnerable systems with python 3.11.9 installed? This way, we could avoid the effort of compiling and distributing a custom-built version ourselves.

please correct me if I'm wrong :)

[zware]

Correct, but you're completely on your own there :)

(FTR, I'm still not convinced that 3.11.9 is actually vulnerable in any meaningful way, but I'm very much not the final word on that. The change to the Windows build is already backported to the 3.11 branch, though, so it doesn't really matter to me personally whether existing versions are vulnerable or not :))

[zware]

Windows, macOS installer, Android (3.13+ only), and CI builds are all now up to date in 3.12, 3.13, and main (and 3.11 for Windows). There's still an open PR for 3.11 CI that we may or may not get cleaned up at some point, but I think we've gotten everything important updated enough to go ahead and mark this complete.