On February 19th, the Python Software Foundation released Python 3.9.2, and 3.8.8 in order to address two security flaws, one of which can be exploited remotely. The release was expedited following an unexpected amount of pressure from some users who were concerned about the flaws, which are tracked as CVE-2021-3177 and CVE-2021-23336.
The CVE takes advantage of misuse of sprintf in order to cause a buffer overflow and execute code remotely. While the vulnerability was declared “Remote executable”, the Python team feels that practical exploits of this vulnerability are very unlikely due to the conditions needing to be met for successful RCE.
Analyst Notes
Binary Defense recommends that all Python users update their Python to 3.8.8 or 3.9.2. In order to exploit CVE-2021-3177, an attacker would need to pass a malicious input as a floating-point number that would be evaluated as a command line argument to a Python script and then passed through the repr() function, which is likely if command line arguments are stored in a log file. The other requirements for the argument to be both a valid floating-point number and also machine code that overflows the stack make it very difficult to exploit, but it illustrates an important point that can be applied to all software development security efforts: never trust user input. Any opportunity that a remote user may have to supply any value that is used by a computer program must be treated with extreme care and filtered as early as possible on the server side (not in client code that can be altered by an attacker) to ensure that values are always within expected ranges that make sense in the context of the application.
The Python Software Foundation release notes can be found here: https://blog.python.org/2021/02/python-392-and-388-are-now-available.html
Read more at ZDNet: https://www.zdnet.com/article/python-programming-language-hurries-out-update-to-tackle-remote-code-vulnerability/
