CVE-2023-37920 - The Hidden Impact of the Certifi "e-Tugra" Root Certificate Removal

In July 2023, a subtle but impactful security change rippled through the Python ecosystem: Certifi, the widely-used bundle of trusted Certificate Authorities (CAs), issued an update in response to CVE-2023-37920. This update specifically removed the "e-Tugra" root certificates from its trust store. If you use Python for any HTTPS connections—especially with popular libraries like requests—this issue may affect you in ways you don't expect.

This post explains, in friendly language, what happened, why it matters for everyday developers, and what you should do. We’ll look at sample code, how to check if you’re affected, and how you can protect your projects.

What Is Certifi?

Certifi is a Python package that provides a carefully curated collection of valid root certificates. These are used by default in libraries such as requests and httpx to validate SSL/TLS connections.

If a root certificate is in Certifi’s store, you’re telling your Python programs: “I trust servers whose certificates chain back to these roots.” If a root certificate is removed, trust is immediately revoked for all certificates based on that root.

Who Is "e-Tugra" and What Happened?

e-Tugra is a Certificate Authority (CA), meaning they provide root certificates that allow for the verification of websites. In June 2023, the cybersecurity community reported security concerns about e-Tugra’s operations, sparking an investigation:

Reports claimed their infrastructure security was not up to best practices

- The CA/B Forum (the industry watchdog for CAs) began formal review procedures
- See the Mozilla Bugzilla Case for community discussion

Given the risk, major root stores—including Mozilla’s and subsequently Certifi’s—chose to *remove* e-Tugra’s root certificates, effective with Certifi version 2023.07.22.

The Risk

If a Certificate Authority is breached or careless, attackers can forge certificates and intercept or impersonate secure HTTPS sites. This undermines trust in the whole internet ecosystem.

The Impact

If you use Certifi versions prior to 2023.07.22, your Python HTTPS clients might trust certificates issued by e-Tugra—exposing you to possible MITM (Man-in-the-Middle) attacks.

After the update, any server showing a certificate chained to e-Tugra’s root will not be trusted. You’ll see SSL errors like:  
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Run this snippet in your Python project

import certifi
print(certifi.where())

Check the file printed. Search inside for any lines mentioning e-Tugra. If so, you're on an outdated version.

Or, check your Certifi version

python -m pip show certifi

Suppose you use Python’s requests library for integration with an HTTPS API

import requests

response = requests.get('https://some-e-tugra-signed-site.com/';)
print(response.status_code)

- With old Certifi: The connection might look valid, even if that HTTPS site has an e-Tugra certificate (which might have been forged in a hypothetical breach).
- With updated Certifi: The code throws an SSL verification error, keeping you safe from untrusted roots.

Exploit Details

CVE-2023-37920 does not describe a direct software vulnerability (like a buffer overflow), but rather a *failure to distrust* a now-risky CA in the root certificate bundle. The practical exploit comes if an attacker leverages e-Tugra's risky certificate issuance practices, as cited in Mozilla's bug tracker, to intercept secure traffic of users with outdated trust stores.

Exploit Scenario

1. Attacker buys or forges TLS certificates from e-Tugra (possible if e-Tugra’s infrastructure is compromised).
2. Victim uses Python tools with old Certifi. HTTPS connections to the attacker’s fake site are accepted.

The fix is simple—update your Certifi package

python -m pip install --upgrade certifi

Now repeat the version check. It should read 2023.07.22 or later, and e-Tugra should be gone from the root store.

References and Further Reading

- CVE-2023-37920 at cve.org
- Certifi 2023.07.22 Release Notes
- Mozilla Bugzilla "e-Tugra: Incident Report"
- Certificate Authority Security Problems: Why They Matter

Final Thoughts

CVE-2023-37920 is a reminder: Certificate trust is a living thing. Even if code doesn’t change for years, the web’s security landscape might! Keeping your certificate stores up-to-date is as important as updating your code.

If you’re a maintainer—check your dependencies and containers. If you ship Python apps to others—make sure they get the latest trust stores.  
Ignoring these changes leaves you, your users, and your data open to subtle but devastating attacks.

Stay secure: Update Certifi now.

*(This article is original content, intended for Python developers and software maintainers concerned about real-world security practices.)*

Timeline

Published on: 07/25/2023 21:15:00 UTC
Last modified on: 08/03/2023 16:19:00 UTC