Authorization Bypass Vulnerability in Go's PublicKeyCallback Implementation

CVE-2024-45337

What is CVE-2024-45337?

CVE-2024-45337 is an authorization bypass vulnerability affecting the ServerConfig.PublicKeyCallback in the Golang.org/x/crypto library. This library is widely utilized in applications that implement SSH communication. The vulnerability arises because the PublicKeyCallback function can be misused, permitting attackers to potentially authenticate with a public key they do not control. If exploited, this could enable unauthorized access, compromising the security and integrity of applications relying on this function for user authentication.

Technical Details

The vulnerability centers on how the ServerConfig.PublicKeyCallback processes public keys during authentication. SSH allows clients to query acceptable public keys without proving ownership of the corresponding private keys. This means an application may inadvertently make authorization decisions based on keys that the attacker does not control. Specifically, a malicious actor can feed different public keys to the PublicKeyCallback and authenticate with one, leading the application to erroneously accept another key for authorization decisions. Although a partial mitigation has been introduced in golang.org/x/crypto version v0.31.0 to enforce that the last key passed for authentication will be the one used, vulnerabilities in third-party libraries or incorrect implementations still pose risks.

Potential Impact of CVE-2024-45337

1. Unauthorized Access: Attackers could gain unauthorized access to systems by exploiting this vulnerability, leading to potential data breaches and unauthorized manipulation of sensitive information.

2. Compromise of System Integrity: By bypassing authentication mechanisms, malicious actors can execute actions that compromise the integrity of the application or the underlying system, potentially leading to larger systemic failures.

3. Increased Attack Surface: The widespread use of the affected library in various applications means that many organizations are at risk, significantly increasing the potential attack surface and making it an attractive target for cybercriminals.

References