Daily Archives: May 28, 2015

Python 2.7.10 Released

Update: 8th December 2015:
The Python Foundation have released Python 2.7.11. Please see this more recent blog post for details.

Thank you.

=======================
Update: 24th November 2015:
At this time, Python 2.7.11 has entered release candidate testing (defined).The final version should be available in early December. I will update this post and publish a dedicated post when this update becomes available.

Thank you.

=======================
Original Post:
=======================
Last weekend, the Python Foundation made available an update to its older series of Python installers. Version 2.7.10 was released for the 2.7 code branch (3.4.3 is the most recent branch with 3.5 in alpha testing). On one of my PCs I have a specific piece of purchased software installed that requires Python 2.7.

This 2.7.10 update is significant since it incorporates the following noteworthy changes:

  • 4 buffer overflows resolved
  • 2 integer overflows resolved
  • 1 use after free bug resolved
  • Removes the RC4 cipher from the SSL module’s default cipher list
  • Upgrades the Windows build of Python 2.7.10 to include OpenSSL 1.0.2a (previously the OpenSSL version was 1.0.1j bundled with Python 2.7.9 released in December 2014)

The full changelog is available here.

While none of the above overflows or the use after free bug have been assigned CVE numbers and are not explicitly reported as security vulnerabilities, it is still best practice to patch these bugs if you are using an older version of Python. In addition, 14 CVEs have been resolved by the OpenSSL Project between the releases of OpenSSL 1.0.1k up to 1.0.2a (i.e. from the previous 2.7.9 version to the current 2.7.10). Please note that the total of 14 CVEs does not include CVEs that only affected the 1.0.2 branch.

For an explanation of what CVEs are, please see the first short aside within this blog post.

If you have Python 2.7 installed, please consider upgrading to the most recent 2.7.10 update to benefit from the above mentioned fixes. I installed the 2.7.10 update over the previous 2.7.9 version (the installer detects the previous version and offers to update it) and the application that requires Python mentioned above continues to work normally.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

KCodes NetUSB Security Flaw Found In Many Routers

Early last week a security vulnerability was disclosed in KCodes NetUSB. This is a Linux module that is provided as part of the operating system that runs within the router. It allows the sharing of USB services across your local network (i.e. to devices that are connected to your router). These devices could be external hard disks (for media sharing), webcams, printers etc.

The flaw within the KCodes module is a buffer overflow that can be exploited by connecting a computer which has a host name longer than 64 characters. Since this module runs in kernel mode (it’s a kernel driver) once the buffer overflow occurs, the attacker can then use this flaw to execute code or a denial of service.

For a list of affected routers, please see this SEC Consult security advisory and this CERT advisory. At the time of writing TP-Link has released updated firmware for some of their routers with further models to receive updates in the future (a timeline is presented in the aforementioned SEC Consult security advisory). In addition, Netgear is working to address this flaw in its affected products and plans to make updates available in July for this purpose.

How I can defend against/mitigate this attack?
While updates are pending, please ensure that your routers administrative interface (usually accessible via a web browser) is protected with a strong password. In addition, on some models of router it may be possible to disable the sharing of USB devices on the network. In the case of Netgear routers’ disabling this sharing feature has no effect. For all other routers that have this feature preventing access to the sharing service by blocking access to TCP port 20005 (from your local internal network using the routers firewall) will mitigate this vulnerability.

Update: 29th May 2015:
D-Link have made available a security advisory for this issue with a timeline for firmware updates that are currently under development. If you own a D-Link router, please check if your model is affected and take the necessary action (if applicable).

Finally I would recommend monitoring the relevant websites of your routers’ manufacturer for firmware updates that address this flaw. Please follow the steps provided by your router manufacturer to apply the relevant updates. Thank you.