CVE-2016-0772
published 2016-09-02CVE-2016-0772: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might…
PriorityP354medium6.5CVSS 3.0
AVNACHPRNUINSUCLIHAN
EXPLOIT
EPSS
14.52%
96.2th percentile
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python2.7 | < python2.7 2.7.12~rc1-1 (bullseye) | python2.7 2.7.12~rc1-1 (bullseye) |
| python | python | <= 2.7.11 | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
| python | python | — | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6m57-q338-h677: The smtplib library in CPython (aka Python) before 2
ghsa_unreviewed·2022-05-14
CVE-2016-0772 [MEDIUM] CWE-693 GHSA-6m57-q338-h677: The smtplib library in CPython (aka Python) before 2
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
OSV
python2.7, python3.2, python3.4, python3.5 vulnerabilities
osv·2016-11-22·CVSS 6.5
CVE-2016-0772 [MEDIUM] python2.7, python3.2, python3.4, python3.5 vulnerabilities
python2.7, python3.2, python3.4, python3.5 vulnerabilities
It was discovered that the smtplib library in Python did not return an
error when StartTLS fails. A remote attacker could possibly use this to
expose sensitive information. (CVE-2016-0772)
Rémi Rampin discovered that Python would not protect CGI applications
from contents of the HTTP_PROXY environment variable when based on
the contents of the Proxy header from HTTP requests. A remote attacker
could possibly use this to cause a CGI application to redirect outgoing
HTTP requests. (CVE-2016-1000110)
Insu Yun discovered an integer overflow in the zipimporter module in
Python that could lead to a heap-based overflow. An attacker could
use this to craft a special zip file that when read by Python could
possibly execute arbitrary code
OSV
CVE-2016-0772: The smtplib library in CPython (aka Python) before 2
osv·2016-09-02·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772: The smtplib library in CPython (aka Python) before 2
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Ubuntu
Python vulnerabilities
vendor_ubuntu·2016-11-22·CVSS 6.5
CVE-2016-0772 [MEDIUM] Python vulnerabilities
Title: Python vulnerabilities
Summary: Several security issues were fixed in Python.
It was discovered that the smtplib library in Python did not return an
error when StartTLS fails. A remote attacker could possibly use this to
expose sensitive information. (CVE-2016-0772)
Rémi Rampin discovered that Python would not protect CGI applications
from contents of the HTTP_PROXY environment variable when based on
the contents of the Proxy header from HTTP requests. A remote attacker
could possibly use this to cause a CGI application to redirect outgoing
HTTP requests. (CVE-2016-1000110)
Insu Yun discovered an integer overflow in the zipimporter module in
Python that could lead to a heap-based overflow. An attacker could
use this to craft a special zip file that when read by Python could
poss
Red Hat
python: smtplib StartTLS stripping attack
vendor_redhat·2016-06-11·CVSS 6.5
CVE-2016-0772 [MEDIUM] python: smtplib StartTLS stripping attack
python: smtplib StartTLS stripping attack
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer.
Package: python (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2016-0772: python2.7 - The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and...
vendor_debian·2016·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772: python2.7 - The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and...
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Scope: local
bullseye: resolved (fixed in 2.7.12~rc1-1)
No detection rules found.
HackerOne
imap: StartTLS stripping attack (CVE-2016-0772).
hackerone·2021-07-08·CVSS 6.5
CVE-2016-0772 [MEDIUM] imap: StartTLS stripping attack (CVE-2016-0772).
imap: StartTLS stripping attack (CVE-2016-0772).
`net/imap` does not seem to raise an exception when the remote end (imap server) fails to respond with `tagged_response` (NO/BAD) or `OK` to an explicit call of `imap.starttls`. This may allow a malicious MITM to perform a starttls stripping attack if the client code does not explicitly set `usessl = true` on ` initialize` where it is disabled by default: it is rarely done as one might expect that `starttls` raises an exception when starttls negotiation fails (like when using `usessl` on a server that does not support it or when it fails to negotiate tls due to an ssl exception/cipher mismatch/auth fail).
The vulnerable code:
```ruby
def starttls(options = {}, verify = true)
send_command("STARTTLS") do |resp|
if resp.kind_of?(TaggedRespons
HackerOne
CVE-2016-0772 - python: smtplib StartTLS stripping attack
hackerone·2016-08-30·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 - python: smtplib StartTLS stripping attack
CVE-2016-0772 - python: smtplib StartTLS stripping attack
python smtplib starttls stripping attack
* affects: (basically all versions of smtplib with starttls support and projects relying on it)
* python 2.7.2 - 2.7.11 (dates back ~14 years)
* python 3.0 - 3.5.1 (dates back ~7 years)
Python's implementation of `smtplib` fails to raise an exception upon an unexpected response during negotiation of tls via the starttls protocol. This allows a MiTM capable of injecting smtp messages to force smtplib to **silently** abort tls negotiation proceeding to transmit cleartext. (impacting confidentiality)
For more details see [1]
potentially affects a variety of open source projects from Django, web2py, ...
initially reported to python PSRT (timeline see [1]) with details, PoC [2] and patch [2].
Bugzilla
CVE-2016-0772 pypy3: python: smtplib StartTLS stripping attack [fedora-all]
bugzilla·2016-06-30·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 pypy3: python: smtplib StartTLS stripping attack [fedora-all]
CVE-2016-0772 pypy3: python: smtplib StartTLS stripping attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fe
Bugzilla
CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-5]
bugzilla·2016-06-30·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-5]
CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discus
Bugzilla
CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-6]
bugzilla·2016-06-30·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-6]
CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discus
Bugzilla
CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [fedora-all]
bugzilla·2016-06-30·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [fedora-all]
CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fed
Bugzilla
CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-7]
bugzilla·2016-06-30·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-7]
CVE-2016-0772 pypy: python: smtplib StartTLS stripping attack [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discus
Bugzilla
CVE-2016-0772 python34: smtplib StartTLS stripping attack [epel-7]
bugzilla·2016-06-22·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 python34: smtplib StartTLS stripping attack [epel-7]
CVE-2016-0772 python34: smtplib StartTLS stripping attack [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion
Bugzilla
CVE-2016-0772 python: smtplib StartTLS stripping attack [fedora-all]
bugzilla·2016-06-14·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 python: smtplib StartTLS stripping attack [fedora-all]
CVE-2016-0772 python: smtplib StartTLS stripping attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. W
Bugzilla
CVE-2016-0772 python26: python: smtplib StartTLS stripping attack [epel-5]
bugzilla·2016-06-14·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 python26: python: smtplib StartTLS stripping attack [epel-5]
CVE-2016-0772 python26: python: smtplib StartTLS stripping attack [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Di
Bugzilla
CVE-2016-0772 python3: python: smtplib StartTLS stripping attack [fedora-all]
bugzilla·2016-06-14·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 python3: python: smtplib StartTLS stripping attack [fedora-all]
CVE-2016-0772 python3: python: smtplib StartTLS stripping attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2016-0772 python: smtplib StartTLS stripping attack
bugzilla·2016-02-01·CVSS 6.5
CVE-2016-0772 [MEDIUM] CVE-2016-0772 python: smtplib StartTLS stripping attack
CVE-2016-0772 python: smtplib StartTLS stripping attack
A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (smtp server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS.
Discussion:
Patch :
Branch 2.7 : https://hg.python.org/cpython/rev/b3ce713fb9be
Branch 3.4 : https://hg.python.org/cpython/rev/d590114c2394
---
Created python tracking bugs for this issue:
Affects: fedora-all [bug 1346344]
---
Created python26 tracking bugs for this issue:
Affects: epel-5 [bug 1346346]
---
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1626.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1627.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1628.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1629.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1630.htmlhttp://www.openwall.com/lists/oss-security/2016/06/14/9http://www.securityfocus.com/bid/91225http://www.splunk.com/view/SP-CAAAPSVhttp://www.splunk.com/view/SP-CAAAPUEhttps://bugzilla.redhat.com/show_bug.cgi?id=1303647https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWShttps://hg.python.org/cpython/rev/b3ce713fb9behttps://hg.python.org/cpython/rev/d590114c2394https://lists.debian.org/debian-lts-announce/2019/02/msg00011.htmlhttps://security.gentoo.org/glsa/201701-18http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1626.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1627.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1628.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1629.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1630.htmlhttp://www.openwall.com/lists/oss-security/2016/06/14/9http://www.securityfocus.com/bid/91225http://www.splunk.com/view/SP-CAAAPSVhttp://www.splunk.com/view/SP-CAAAPUEhttps://bugzilla.redhat.com/show_bug.cgi?id=1303647https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWShttps://hg.python.org/cpython/rev/b3ce713fb9behttps://hg.python.org/cpython/rev/d590114c2394https://lists.debian.org/debian-lts-announce/2019/02/msg00011.htmlhttps://security.gentoo.org/glsa/201701-18
2016-09-02
Published