Authorization Bypass Vulnerability in Go's PublicKeyCallback Implementation
CVE-2024-45337

9.1CRITICAL

Key Information:

Vendor
Golang.org/x/crypto
Status
Golang.org/x/crypto/ssh
Vendor
CVE Published:
12 December 2024

Badges

📈 Score: 187👾 Exploit Exists🟡 Public PoC

What is CVE-2024-45337?

CVE-2024-45337 is an authorization bypass vulnerability affecting the ServerConfig.PublicKeyCallback in the Golang.org/x/crypto library. This library is widely utilized in applications that implement SSH communication. The vulnerability arises because the PublicKeyCallback function can be misused, permitting attackers to potentially authenticate with a public key they do not control. If exploited, this could enable unauthorized access, compromising the security and integrity of applications relying on this function for user authentication.

Technical Details

The vulnerability centers on how the ServerConfig.PublicKeyCallback processes public keys during authentication. SSH allows clients to query acceptable public keys without proving ownership of the corresponding private keys. This means an application may inadvertently make authorization decisions based on keys that the attacker does not control. Specifically, a malicious actor can feed different public keys to the PublicKeyCallback and authenticate with one, leading the application to erroneously accept another key for authorization decisions. Although a partial mitigation has been introduced in golang.org/x/crypto version v0.31.0 to enforce that the last key passed for authentication will be the one used, vulnerabilities in third-party libraries or incorrect implementations still pose risks.

Potential Impact of CVE-2024-45337

  1. Unauthorized Access: Attackers could gain unauthorized access to systems by exploiting this vulnerability, leading to potential data breaches and unauthorized manipulation of sensitive information.

  2. Compromise of System Integrity: By bypassing authentication mechanisms, malicious actors can execute actions that compromise the integrity of the application or the underlying system, potentially leading to larger systemic failures.

  3. Increased Attack Surface: The widespread use of the affected library in various applications means that many organizations are at risk, significantly increasing the potential attack surface and making it an attractive target for cybercriminals.

Affected Version(s)

golang.org/x/crypto/ssh 0 < 0.31.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Damien Tournoud (Platform.sh / Upsun)
Patrick Dawkins (Platform.sh / Upsun)
Vince Parker (Platform.sh / Upsun)
Jules Duvivier (Platform.sh / Upsun)
.