CVE-2024-39689 Overview
CVE-2024-39689 is a certificate validation bypass vulnerability affecting Certifi, a widely-used Python package that provides a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. The vulnerability stems from Certifi's inclusion of root certificates from GLOBALTRUST, a Certificate Authority (CA) that has been identified as having long-running and unresolved compliance issues, leading to its removal from Mozilla's trust store.
Applications relying on vulnerable versions of Certifi (2021.5.30 through versions prior to 2024.7.4) may trust SSL/TLS certificates issued by GLOBALTRUST, potentially allowing attackers to perform man-in-the-middle attacks or present fraudulent certificates that would be incorrectly validated as trustworthy.
Critical Impact
Applications using affected Certifi versions may accept certificates from an untrusted Certificate Authority, enabling potential man-in-the-middle attacks and undermining the integrity of TLS communications across Python applications.
Affected Products
- Certifi versions 2021.5.30 through prior to 2024.7.4
- NetApp Management Services for Element Software and NetApp HCI
- NetApp ONTAP Select Deploy Administration Utility
- NetApp ONTAP Tools 10 for VMware vSphere
Discovery Timeline
- July 5, 2024 - CVE-2024-39689 published to NVD
- February 15, 2025 - Last updated in NVD database
Technical Details for CVE-2024-39689
Vulnerability Analysis
This vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity). The core issue lies in the certificate trust chain validation process. When Certifi includes root certificates from a Certificate Authority that fails to meet compliance standards, any certificate signed by that CA would be implicitly trusted by applications using the affected Certifi versions.
The GLOBALTRUST root certificates were being investigated for compliance issues, which prompted Mozilla to initiate their removal from its root store. Since Certifi maintains its own bundle of root certificates derived from Mozilla's trust store, the delayed removal of GLOBALTRUST certificates created a window where Python applications could trust certificates that should no longer be considered trustworthy.
Root Cause
The root cause of this vulnerability is the inclusion of GLOBALTRUST 2020 root certificate in Certifi's cacert.pem bundle despite ongoing compliance investigations. The certificate bundle shipped with Certifi contained the GLOBALTRUST root certificate issued by e-commerce monitoring GmbH with a validity period extending to 2040. The compliance issues identified during investigation necessitated the proactive removal of these certificates before they were fully revoked by Mozilla.
Attack Vector
The attack vector is network-based and requires no user interaction or privileges. An attacker could potentially:
- Obtain a fraudulently issued certificate from GLOBALTRUST
- Present this certificate to applications using vulnerable Certifi versions
- Perform man-in-the-middle attacks on HTTPS connections
- Intercept or modify encrypted communications between the application and legitimate services
Since this affects the integrity of certificate validation, attackers could potentially impersonate legitimate services to steal credentials, inject malicious content, or exfiltrate sensitive data.
# Security patch in certifi/__init__.py - 2024.07.04 (#295)
# Source: https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463
from .core import contents, where
__all__ = ["contents", "where"]
-__version__ = "2024.06.02"
+__version__ = "2024.07.04"
The patch removes the GLOBALTRUST root certificate from the certificate bundle. The removed certificate had the following identifiers:
- CN: GLOBALTRUST 2020
- Organization: e-commerce monitoring GmbH
- SHA256 Fingerprint: 9a:29:6a:51:82:d1:d4:51:a2:e3:7f:43:9b:74:da:af:a2:67:52:33:29:f9:0f:9a:0d:20:07:c3:34:e2:3c:9a
Detection Methods for CVE-2024-39689
Indicators of Compromise
- Applications establishing TLS connections with certificates signed by GLOBALTRUST root CA
- Certificate chains containing the GLOBALTRUST 2020 root certificate (SHA1: d0:67:c1:13:51:01:0c:aa:d0:c7:6a:65:37:31:16:26:4f:53:71:a2)
- Unexpected certificate validation successes for services that should not be using GLOBALTRUST-issued certificates
- TLS handshake logs showing trust of e-commerce monitoring GmbH issued certificates
Detection Strategies
- Audit Python environments for Certifi versions between 2021.5.30 and 2024.7.4 using pip list | grep certifi or dependency scanning tools
- Implement certificate pinning in critical applications to detect unauthorized CA usage
- Monitor network traffic for TLS connections using certificates with GLOBALTRUST in the issuer chain
- Deploy software composition analysis (SCA) tools to identify vulnerable Certifi dependencies across your codebase
Monitoring Recommendations
- Enable TLS certificate logging at the application and network levels to track certificate issuers
- Set up alerts for any certificate chains involving GLOBALTRUST or e-commerce monitoring GmbH
- Regularly audit Python package dependencies using tools like pip-audit or safety
- Monitor security advisories from Mozilla, Certifi, and relevant vendors for updates on CA trust changes
How to Mitigate CVE-2024-39689
Immediate Actions Required
- Upgrade Certifi to version 2024.7.4 or later immediately using pip install --upgrade certifi
- Verify the upgrade was successful by running python -c "import certifi; print(certifi.__version__)"
- Review all Python applications and virtual environments to ensure no legacy Certifi versions remain
- For NetApp products, apply the relevant security updates as specified in the NetApp Security Advisory
Patch Information
The fix was implemented in Certifi version 2024.7.4 through commit bd8153872e9c6fc98f4023df9c2deaffea2fa463. This patch removes the GLOBALTRUST 2020 root certificate from the cacert.pem certificate bundle, aligning with Mozilla's decision to remove these certificates from their trust store.
For more details, refer to the GitHub Security Advisory and the Mozilla Dev Security Policy Discussion.
Workarounds
- If immediate upgrade is not possible, manually remove the GLOBALTRUST certificate from the cacert.pem file in the Certifi package directory
- Implement certificate pinning for critical connections to ensure only expected certificates are trusted
- Use a custom certificate bundle that excludes GLOBALTRUST certificates by setting the REQUESTS_CA_BUNDLE environment variable
- Consider implementing additional certificate validation logic at the application level
# Upgrade Certifi to patched version
pip install --upgrade certifi>=2024.7.4
# Verify the installed version
python -c "import certifi; print(certifi.__version__)"
# Check for vulnerable versions across all virtual environments
find /path/to/venvs -name "certifi*" -exec pip show {} \;
# For applications using requests library, verify certificate bundle
python -c "import certifi; print(certifi.where())"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
