Skip to content

CVE-2023-40217: Bypass TLS handshake on closed sockets #108310

New issue
New issue
Closed
Closed
CVE-2023-40217: Bypass TLS handshake on closed sockets#108310
Assignees
ambvgpshead
Labels
3.10only security fixes3.11only security fixes3.12only security fixes3.13bugs and security fixes3.8 (EOL)end of life3.9 (EOL)end of lifetype-bugAn unexpected behavior, bug, or errortype-securityA security issue
@ambv

Description

@ambv
ambv
opened on Aug 22, 2023 · edited by bedevere-app
Contributor

Bug report

Originally reported by @aapooksman via the Python Security Response Team mailing list on 2023-08-08. Thanks for the responsible disclosure!

Checklist

  • I am confident this is a bug in CPython, not a bug in a third-party project
    I have searched the , and am confident this bug has not been reported before

CPython versions tested on:

3.8, 3.9, 3.10, 3.11, 3.12, CPython main branch

Operating systems tested on:

Linux, macOS

A clear and concise description of the bug:

Instances of ssl.SSLSocket are vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and could lead applications to treat unencrypted data received pre-TLS-handshake that is followed by an immediate connection close as if it were post-handshake TLS encrypted data.

Linked PRs

Activity

ambv
added
type-bugAn unexpected behavior, bug, or error
type-securityA security issue
on Aug 22, 2023
ambv
added 7 commits that reference this issue on Aug 22, 2023

pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…

f13927b

pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…

8285107

pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…

b4d0a16

pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…

a9627de

pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…

621a117

pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…

fc26281

pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…

f0c1e55
ambv
changed the title [-]Placeholder issue[/-] [+]CVE-2023-40217: Bypass TLS handshake on closed sockets[/+] on Aug 22, 2023
bedevere-bot
mentioned this in 5 pull requests on Aug 22, 2023

59 remaining items

bmwiedemann
added a commit that references this issue on Sep 14, 2023

Update python to version 2.7.18 / rev 187 via SR 1110909

f6d6a81
carlosroman
added 3 commits that reference this issue on Oct 11, 2023

[3.9] pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl …

6368a8e

[3.9] pythongh-108342: Break ref cycle in SSLSocket._create() exc (py…

cc9c298

[3.9] pythongh-108342: Make ssl TestPreHandshakeClose more reliable (p…

e1380b6
frenzymadness
added a commit that references this issue on Oct 11, 2023

pythongh-108310: Fix TestPreHandshakeClose tests in test_ssl

7fa62f5
bedevere-app
mentioned this on Oct 11, 2023
jwhitlock
mentioned this on Oct 16, 2023
bastien-roucaries

bastien-roucaries commented on Nov 1, 2023

@bastien-roucaries
bastien-roucaries
on Nov 1, 2023

Hi I have difficulty to port this to python3.5 it fail async io test... Can I get nsome help from upstream ?

vstinner

vstinner commented on Nov 1, 2023

@vstinner
vstinner
on Nov 1, 2023
Member

@mcepl: Maybe you backported this change to 3.5 for OpenSUSE?

bastien-roucaries

bastien-roucaries commented on Nov 1, 2023

@bastien-roucaries
bastien-roucaries
on Nov 1, 2023

@vstinner pkg badly fail https://salsa.debian.org/lts-team/packages/python3.5/-/jobs/4878473 commit his here https://salsa.debian.org/lts-team/packages/python3.5/-/commit/0aac2e98ecc60e7191a2d49ab9ae99f022f0e495

I have tried shutdown instead of close() but it core dump

mcepl

mcepl commented on Nov 1, 2023

@mcepl
mcepl
on Nov 1, 2023
Contributor

@mcepl: Maybe you backported this change to 3.5 for OpenSUSE?

True. I have here
CVE-2023-40217-avoid-ssl-pre-close-Python34.patch and
CVE-2023-40217-avoid-ssl-pre-close-Python36.patch.txt and
CVE-2023-40217-avoid-ssl-pre-close-Python27.patch.txt, just to be complete.

aman2000verma
mentioned this on Jan 7, 2024
ambv
added a commit that references this issue on Jan 17, 2024

[3.8] gh-108310: Fix TestPreHandshakeClose tests in test_ssl (#110718)

0df2eb5
mcepl
added a commit that references this issue on Apr 4, 2024

[CVE-2023-40217] Check for & avoid the ssl pre-close flaw

de8396e
github-actions
mentioned this on Apr 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

3.10only security fixes3.11only security fixes3.12only security fixes3.13bugs and security fixes3.8 (EOL)end of life3.9 (EOL)end of lifetype-bugAn unexpected behavior, bug, or errortype-securityA security issue

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @ambv@gpshead@vstinner@mcepl@hugovk

      Issue actions
        CVE-2023-40217: Bypass TLS handshake on closed sockets · Issue #108310 · python/cpython