CVE-2023-37920 Overview
CVE-2023-37920 affects Certifi, a Python package providing a curated collection of Root Certificates used to validate the trustworthiness of SSL certificates while verifying the identity of Transport Layer Security (TLS) hosts. Versions of Certifi prior to 2023.07.22 include e-Tugra root certificates in the trust store. e-Tugra was the subject of a security investigation after reports of issues in its certificate issuance systems. Certifi 2023.07.22 removes the e-Tugra root certificates from the bundled root store, eliminating the implicit trust relationship. The flaw is classified under CWE-345: Insufficient Verification of Data Authenticity.
Critical Impact
Applications using vulnerable Certifi versions implicitly trust certificates chaining to e-Tugra roots, enabling potential man-in-the-middle interception of TLS traffic if those roots are misused.
Affected Products
- Certifi Python package versions prior to 2023.07.22
- Fedora 38
- NetApp Active IQ Unified Manager, Management Services for Element Software, Management Services for NetApp HCI, ONTAP Mediator, ONTAP Select Deploy Administration Utility, and SolidFire & HCI Storage Node
Discovery Timeline
- 2023-07-25 - CVE-2023-37920 published to the National Vulnerability Database (NVD)
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-37920
Vulnerability Analysis
Certifi ships a Mozilla-derived bundle of Root Certificate Authorities (CAs) that Python HTTP clients such as requests and urllib3 use to validate TLS server certificates. The bundle in versions prior to 2023.07.22 includes root certificates operated by e-Tugra. Following a public discussion on the Mozilla dev-security-policy list regarding security issues in e-Tugra's systems, Mozilla and downstream consumers moved to distrust those roots.
Any Python application relying on the affected Certifi bundle accepts server certificates that chain to an e-Tugra root as valid. If the certificate authority issues a certificate to an unauthorized party, an attacker can present that certificate to clients and complete a TLS handshake without triggering validation errors. This breaks the integrity guarantees the TLS Public Key Infrastructure (PKI) is intended to provide.
Root Cause
The root cause is insufficient verification of data authenticity in the trust store itself. Certifi inherited the e-Tugra roots from upstream sources before the investigation concluded. Trust in a certificate authority is binary inside the bundle — once a root is present, every certificate chaining to it is accepted. The fix is the commit 8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909, which removes the e-Tugra roots from cacert.pem.
Attack Vector
Exploitation requires an attacker capable of obtaining a certificate issued under an e-Tugra root, either through misissuance, compromise, or insider abuse. With such a certificate, the attacker positions themselves between the Python client and the target host (for example, via DNS hijacking, BGP manipulation, or a hostile network). The vulnerable Certifi bundle validates the chain, and the client establishes a TLS session with the attacker, exposing credentials, API tokens, and application data. See the GitHub Security Advisory GHSA-xqr8-7jwr-rhp7 for additional technical detail.
Detection Methods for CVE-2023-37920
Indicators of Compromise
- TLS sessions from Python services terminating at endpoints whose certificate chains to an e-Tugra root
- Outbound HTTPS connections to unexpected destinations from services that depend on requests, urllib3, httpx, or other libraries that consume Certifi
- Presence of cacert.pem files from Certifi releases earlier than 2023.07.22 in deployed application bundles or container images
Detection Strategies
- Inventory installed Python packages and flag any host where pip show certifi reports a version below 2023.07.22
- Scan container images, virtual appliances, and frozen application bundles for the older cacert.pem file shipped by vulnerable Certifi releases
- Inspect TLS traffic at egress and alert on certificates whose issuer Distinguished Name (DN) references e-Tugra
Monitoring Recommendations
- Forward Software Bill of Materials (SBOM) and package inventory data into a centralized analytics platform to track Certifi versions across the estate
- Monitor Certificate Transparency (CT) logs for certificates issued under e-Tugra roots that affect domains your organization communicates with
- Track vendor advisories for downstream products, including the NetApp Security Advisory NTAP-20240912-0002 and the Fedora Package Announcement
How to Mitigate CVE-2023-37920
Immediate Actions Required
- Upgrade Certifi to version 2023.07.22 or later across all Python environments, including virtual environments, container images, and packaged applications
- Rebuild and redeploy container images that pin Certifi as a transitive dependency of libraries such as requests, httpx, or aiohttp
- Apply vendor patches for NetApp products listed in NTAP-20240912-0002 and update Fedora 38 systems through the Fedora Package Announcement
Patch Information
The upstream fix is delivered in Certifi 2023.07.22 through commit 8fb96ed, which removes the e-Tugra root certificates from cacert.pem. Refer to the GitHub Security Advisory for the full advisory text and the Mozilla Dev Policy Discussion for the trust decision background.
Workarounds
- If upgrading is not immediately possible, replace the bundled cacert.pem with a curated CA bundle that excludes e-Tugra roots and point SSL_CERT_FILE or REQUESTS_CA_BUNDLE at it
- Enforce certificate pinning for critical outbound integrations so the application rejects any chain that does not match the expected issuer
- Restrict egress traffic from Python workloads to known destinations, reducing the surface where a misissued certificate could be presented
# Upgrade Certifi and verify the installed version
pip install --upgrade 'certifi>=2023.07.22'
python -c "import certifi; print(certifi.__version__); print(certifi.where())"
# Optional: override the CA bundle with a curated file that excludes e-Tugra
export SSL_CERT_FILE=/etc/ssl/certs/curated-ca-bundle.pem
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/curated-ca-bundle.pem
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
