| id: GO-2024-3321 |
| modules: |
| - module: golang.org/x/crypto |
| versions: |
| - fixed: 0.31.0 |
| vulnerable_at: 0.30.0 |
| packages: |
| - package: golang.org/x/crypto/ssh |
| symbols: |
| - ServerConfig.PublicKeyCallback |
| summary: |- |
| Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in |
| golang.org/x/crypto |
| description: |- |
| Applications and libraries which misuse the ServerConfig.PublicKeyCallback |
| callback may be susceptible to an authorization bypass. |
| |
| The documentation for ServerConfig.PublicKeyCallback says that "A call to this |
| function does not guarantee that the key offered is in fact used to |
| authenticate." Specifically, the SSH protocol allows clients to inquire about |
| whether a public key is acceptable before proving control of the corresponding |
| private key. PublicKeyCallback may be called with multiple keys, and the order |
| in which the keys were provided cannot be used to infer which key the client |
| successfully authenticated with, if any. Some applications, which store the |
| key(s) passed to PublicKeyCallback (or derived information) and make security |
| relevant determinations based on it once the connection is established, may make |
| incorrect assumptions. |
| |
| For example, an attacker may send public keys A and B, and then authenticate |
| with A. PublicKeyCallback would be called only twice, first with A and then with |
| B. A vulnerable application may then make authorization decisions based on key B |
| for which the attacker does not actually control the private key. |
| |
| Since this API is widely misused, as a partial mitigation |
| golang.org/x/cry...@v0.31.0 enforces the property that, when successfully |
| authenticating via public key, the last key passed to |
| ServerConfig.PublicKeyCallback will be the key used to authenticate the |
| connection. PublicKeyCallback will now be called multiple times with the same |
| key, if necessary. Note that the client may still not control the last key |
| passed to PublicKeyCallback if the connection is then authenticated with a |
| different method, such as PasswordCallback, KeyboardInteractiveCallback, or |
| NoClientAuth. |
| |
| Users should be using the Extensions field of the Permissions return value from |
| the various authentication callbacks to record data associated with the |
| authentication attempt instead of referencing external state. Once the |
| connection is established the state corresponding to the successful |
| authentication attempt can be retrieved via the ServerConn.Permissions field. |
| Note that some third-party libraries misuse the Permissions type by sharing it |
| across authentication attempts; users of third-party libraries should refer to |
| the relevant projects for guidance. |
| ghsas: |
| - GHSA-v778-237x-gjrc |
| credits: |
| - Damien Tournoud (Platform.sh / Upsun) |
| - Patrick Dawkins (Platform.sh / Upsun) |
| - Vince Parker (Platform.sh / Upsun) |
| - Jules Duvivier (Platform.sh / Upsun) |
| references: |
| - fix: https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 |
| - fix: https://go.dev/cl/635315 |
| - report: https://go.dev/issue/70779 |
| - web: https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ |
| cve_metadata: |
| id: CVE-2024-45337 |
| cwe: 'CWE-1108: Excessive Reliance on Global Variables' |
| source: |
| id: go-security-team |
| created: 2024-12-11T08:45:55.544926-08:00 |
| review_status: REVIEWED |
