CVE-2016-0772

Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

La librería smtplib en CPython (también conocido como Python) en versiones anteriores a 2.7.12, 3.x en versiones anteriores a 3.4.5 y 3.5.x en versiones anteriores a 3.5.2 no devuelve un error cuando StartTLS falla, lo que podría permitir a atacantes man-in-the-middle eludir las protecciones TLS mediante el aprovechamiento de una posición de red entre el cliente y el registro para bloquear el comando StartTLS, también conocido como un "ataque de decapado StartTLS".

It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-12-16 CVE Reserved
2016-07-03 First Exploit
2016-08-21 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-693: Protection Mechanism Failure

CAPEC

References (20)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2016/06/14/9	Mailing List
http://www.securityfocus.com/bid/91225	Vdb Entry
http://www.splunk.com/view/SP-CAAAPSV	X_refsource_confirm
http://www.splunk.com/view/SP-CAAAPUE	X_refsource_confirm
https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5	Release Notes
https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2	Release Notes
https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS	Release Notes
https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html	Mailing List

URL	Date	SRC
https://www.exploit-db.com/exploits/43500	2016-07-03

URL	Date	SRC
https://hg.python.org/cpython/rev/b3ce713fb9be	2019-02-09
https://hg.python.org/cpython/rev/d590114c2394	2019-02-09

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	2019-02-09
http://rhn.redhat.com/errata/RHSA-2016-1626.html	2019-02-09
http://rhn.redhat.com/errata/RHSA-2016-1627.html	2019-02-09
http://rhn.redhat.com/errata/RHSA-2016-1628.html	2019-02-09
http://rhn.redhat.com/errata/RHSA-2016-1629.html	2019-02-09
http://rhn.redhat.com/errata/RHSA-2016-1630.html	2019-02-09
https://bugzilla.redhat.com/show_bug.cgi?id=1303647	2016-08-18
https://security.gentoo.org/glsa/201701-18	2019-02-09
https://access.redhat.com/security/cve/CVE-2016-0772	2016-08-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.5.0 Search vendor "Python" for product "Python" and version "3.5.0"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.5.1 Search vendor "Python" for product "Python" and version "3.5.1"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.0 Search vendor "Python" for product "Python" and version "3.0"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.0.1 Search vendor "Python" for product "Python" and version "3.0.1"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.1.0 Search vendor "Python" for product "Python" and version "3.1.0"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.1.1 Search vendor "Python" for product "Python" and version "3.1.1"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.1.2 Search vendor "Python" for product "Python" and version "3.1.2"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.1.3 Search vendor "Python" for product "Python" and version "3.1.3"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.1.4 Search vendor "Python" for product "Python" and version "3.1.4"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.1.5 Search vendor "Python" for product "Python" and version "3.1.5"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.2.0 Search vendor "Python" for product "Python" and version "3.2.0"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.2.1 Search vendor "Python" for product "Python" and version "3.2.1"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.2.2 Search vendor "Python" for product "Python" and version "3.2.2"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.2.3 Search vendor "Python" for product "Python" and version "3.2.3"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.2.4 Search vendor "Python" for product "Python" and version "3.2.4"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.2.5 Search vendor "Python" for product "Python" and version "3.2.5"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.2.6 Search vendor "Python" for product "Python" and version "3.2.6"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.3.0 Search vendor "Python" for product "Python" and version "3.3.0"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.3.1 Search vendor "Python" for product "Python" and version "3.3.1"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.3.2 Search vendor "Python" for product "Python" and version "3.3.2"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.3.3 Search vendor "Python" for product "Python" and version "3.3.3"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.3.4 Search vendor "Python" for product "Python" and version "3.3.4"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.3.5 Search vendor "Python" for product "Python" and version "3.3.5"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.3.6 Search vendor "Python" for product "Python" and version "3.3.6"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.4.0 Search vendor "Python" for product "Python" and version "3.4.0"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.4.1 Search vendor "Python" for product "Python" and version "3.4.1"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.4.2 Search vendor "Python" for product "Python" and version "3.4.2"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.4.3 Search vendor "Python" for product "Python" and version "3.4.3"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				3.4.4 Search vendor "Python" for product "Python" and version "3.4.4"		-		Affected
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				<= 2.7.11 Search vendor "Python" for product "Python" and version " <= 2.7.11"		-		Affected