A DLL hijacking vulnerability has been discovered in CPython 3.6, 3.7
and 3.8 when running on Windows 7 or earlier.
An attacker who is able to place a DLL "api-ms-win-core-path-l1-1-0.dll"
earlier on the DLL search path than the System32 directory could cause
their file to be loaded and executed at interpreter startup instead of
the system one.
Prior to Windows 7, this file does not exist and may be placed anywhere
on the search path. After Windows 7, the DLL is loaded directly from its
API set and not using the search path. Only Windows 7 is impacted.
Patches to ensure that only the System32 copy of the file is loaded are
linked from the bug page below. The next release of each version
(3.6.11, 3.7.7, 3.8.2) will include the fixes. Python 3.9 does not
support Windows 7, and so is unimpacted.
Note that this attack will likely work against other applications on
Windows 7, and it is not unique to CPython. Upgrading to a supported
operating system is recommended.
CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8315
Bug page: https://bugs.python.org/issue39401
Cheers,
Steve Dower and the Python Security Response Team
A DLL hijacking vulnerability has been discovered in CPython 3.6, 3.7
and 3.8 when running on Windows 7 or earlier.
An attacker who is able to place a DLL "api-ms-win-core-path-l1-1-0.dll"
earlier on the DLL search path than the System32 directory could cause
their file to be loaded and executed at interpreter startup instead of
the system one.
Prior to Windows 7, this file does not exist and may be placed anywhere
on the search path. After Windows 7, the DLL is loaded directly from its
API set and not using the search path. Only Windows 7 is impacted.
Patches to ensure that only the System32 copy of the file is loaded are
linked from the bug page below. The next release of each version
(3.6.11, 3.7.7, 3.8.2) will include the fixes. Python 3.9 does not
support Windows 7, and so is unimpacted.
Note that this attack will likely work against other applications on
Windows 7, and it is not unique to CPython. Upgrading to a supported
operating system is recommended.
CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8315
Bug page: https://bugs.python.org/issue39401
Cheers,
Steve Dower and the Python Security Response Team
