CVE-2022-45061 - Potential CPU Denial of Service via Unnecessary Quadratic Algorithm in Python IDNA Decoder

Recently, an issue has been discovered in Python versions before the planned 3.11.1 release. This issue has been given the identifier CVE-2022-45061. The issue stems from an unnecessary quadratic algorithm, present in one of the paths when processing specific inputs to the Internationalized Domain Names in Applications (IDNA) decoder, following the specifications outlined in RFC 349. This vulnerability exposes systems to a potential CPU denial of service (DoS) attack when encountering a crafted, unreasonably long name presented to the decoder.

Attack Scenario

Hostnames used in web applications are often supplied by remote servers, which could be controlled by a malicious actor. In this scenario, an attacker could supply a crafted, excessively long hostname to trigger a high CPU consumption on the client-side, ultimately causing a denial of service. For example, an attacker could place the malicious payload within the Location header of an HTTP response, associated with the status code 302.

This code snippet demonstrates how to trigger the quadratic complexity in the IDNA (RFC 349) decoder

import idna

hostname_payload = "a" * 10000
encoded_hostname = idna.encode(hostname_payload)

At this point, the encoded_hostname variable will contain an unreasonably long hostname that takes advantage of the quadratic complexity issue.

Mitigation

Developers are working on a fix for this vulnerability, which will be introduced in upcoming Python releases: 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

In the meantime, developers are encouraged to implement checks for overly long hostnames before processing them through IDNA decoder libraries, as well as limiting the size of hostnames accepted from untrusted sources.

References

- Python Official Changelog
- RFC 349: Internationalizing Domain Names in Applications (IDNA)
- CVE-2022-45061

Exploit Details

As previously mentioned, attackers may exploit this vulnerability by supplying a crafted payload, such as an excessively long hostname, to be processed by the IDNA decoder. By doing so, they can trigger the quadratic complexity issue, causing excessive CPU consumption and resulting in a denial of service.

The attack could be executed remotely, in some cases as simple as sending an HTTP request with a specially crafted Location header and a status code of 302, to force the client to follow the malicious redirect and attempt to process the payload through an IDNA decoder.

Timeline

Published on: 11/09/2022 07:15:00 UTC
Last modified on: 11/09/2022 21:17:00 UTC