Python Vulnerability in MacOS or Linux Leads to Exploiting The Memory

   December 10, 2024  Posted in CyberSecurityNews


A high-severity vulnerability (CVE-2024-12254) impacting CPython has been publicly disclosed, affecting Python versions 3.12.0 and later.

The flaw, identified in the asyncio module, specifically lies in the _SelectorSocketTransport.writelines() method, potentially leading to memory exhaustion under certain conditions.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Overview of the Vulnerability

The vulnerability arises from improper handling of memory buffering in the writelines() method used within the asyncio module.

Normally, when the write buffer reaches a “high-water mark,” the system pauses writing and signals the protocol to drain the buffer to avoid excessive memory usage.

However, in Python 3.12.0 and later, this mechanism fails to engage, allowing the write buffer to grow unchecked in specific scenarios.

The issue lies with the functionality of asyncio._SelectorSocketTransport.writelines(), which fails to pause writing and drain the buffer upon reaching the high-water mark.

This oversight can result in unbounded memory usage, potentially causing memory exhaustion. Given the implications, the severity of this issue is classified as high.

This vulnerability affects Python 3.12.0+ on macOS/Linux, where asyncio protocols using .writelines() may not drain the write buffer, risking memory exhaustion due to the new zero-copy-on-write behavior introduced in Python 3.12.0.

The specific conditions required for this vulnerability to manifest narrow its scope. It only affects users who meet all of the following criteria:

  1. Python Versions: Using Python 3.12.0 or later.
  2. Operating Systems: Running on macOS or Linux.
  3. Module Usage: Actively using the asyncio module with protocols.
  4. Method Usage: Reliance on the .writelines() method, which introduced zero-copy-on-write behavior starting in Python 3.12.0.

If one or more of these criteria do not apply, your Python usage is likely unaffected.

The Python development team is actively addressing the issue. A fix has already been proposed and is under review via the following pull request.

  1. Patch as Soon as Available: Monitor the CVE listing and Python’s official repositories for security updates.
  2. Avoid Affected Versions: If possible, revert to an earlier version of Python (prior to 3.12.0) not impacted by the issue.
  3. Limit Use of .writelines(): Avoid or replace the usage of the writelines() method in affected environments until a fix is implemented.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free



Source link