[security] Vulnerability in golang.org/x/crypto/ssh

4,139 views
Skip to first unread message

Roland Shoemaker

unread,
Dec 18, 2023, 12:12:00 PM12/18/23
to golang-...@googlegroups.com
Hello gophers,

Version v0.17.0 of golang.org/x/crypto fixes a protocol weakness in the golang.org/x/crypto/ssh package that allowed a MITM attacker to compromise the integrity of the secure channel before it was established, allowing them to prevent transmission of a number of messages immediately after the secure channel was established without either side being aware.

The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features.

This protocol weakness was also fixed in OpenSSH 9.6.

Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue.

This is CVE-2023-48795 and Go issue https://go.dev/issue/64784.

Cheers,
Roland on behalf of the Go team
Reply all
Reply to author
Forward
0 new messages