Authorization Bypass Vulnerability in Go's PublicKeyCallback Implementation
CVE-2024-45337
Key Information:
- Vendor
- Golang.org/x/crypto
- Status
- Golang.org/x/crypto/ssh
- Vendor
- CVE Published:
- 12 December 2024
Badges
What is CVE-2024-45337?
CVE-2024-45337 is an authorization bypass vulnerability affecting the ServerConfig.PublicKeyCallback in the Golang.org/x/crypto library. This library is widely utilized in applications that implement SSH communication. The vulnerability arises because the PublicKeyCallback function can be misused, permitting attackers to potentially authenticate with a public key they do not control. If exploited, this could enable unauthorized access, compromising the security and integrity of applications relying on this function for user authentication.
Technical Details
The vulnerability centers on how the ServerConfig.PublicKeyCallback processes public keys during authentication. SSH allows clients to query acceptable public keys without proving ownership of the corresponding private keys. This means an application may inadvertently make authorization decisions based on keys that the attacker does not control. Specifically, a malicious actor can feed different public keys to the PublicKeyCallback and authenticate with one, leading the application to erroneously accept another key for authorization decisions. Although a partial mitigation has been introduced in golang.org/x/crypto version v0.31.0 to enforce that the last key passed for authentication will be the one used, vulnerabilities in third-party libraries or incorrect implementations still pose risks.
Potential Impact of CVE-2024-45337
-
Unauthorized Access: Attackers could gain unauthorized access to systems by exploiting this vulnerability, leading to potential data breaches and unauthorized manipulation of sensitive information.
-
Compromise of System Integrity: By bypassing authentication mechanisms, malicious actors can execute actions that compromise the integrity of the application or the underlying system, potentially leading to larger systemic failures.
-
Increased Attack Surface: The widespread use of the affected library in various applications means that many organizations are at risk, significantly increasing the potential attack surface and making it an attractive target for cybercriminals.
Affected Version(s)
golang.org/x/crypto/ssh 0 < 0.31.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved