Summary: A critical vulnerability (CVE-2024-45337) in the Golang cryptography library could lead to authorization bypasses due to improper handling of public keys during SSH connections. Attackers can exploit this flaw by misleading servers with multiple public keys or using alternative authentication methods.
Threat Actor: Unknown | unknown
Victim: Various applications using Golang | various applications using Golang
Key Point :
- A critical security flaw in the Golang cryptography library allows for potential authorization bypasses.
- The vulnerability is due to the misuse of the ServerConfig.PublicKeyCallback function, which does not guarantee the authenticity of keys.
- Attackers can exploit this by presenting multiple public keys or authenticating through alternative methods.
- Mitigation includes upgrading to golang.org/x/crypto v0.31.0 or later and properly utilizing permissions in authentication callbacks.
- Review third-party libraries for potential misuses of PublicKeyCallback and the Permissions field.
A critical security vulnerability, tracked as CVE-2024-45337 (CVSS 9.1), has been discovered in the Golang cryptography library. This flaw stems from the misuse of the ServerConfig.PublicKeyCallback function, potentially leading to authorization bypasses in applications and libraries.
The Root of the Problem:
The PublicKeyCallback function is designed to allow servers to verify the authenticity of public keys offered by clients during SSH connections. However, the documentation explicitly states that this callback does not guarantee the actual key used for authentication.
The vulnerability arises when applications incorrectly rely on the order or content of keys presented to PublicKeyCallback to make authorization decisions. Attackers can exploit this by:
- Presenting multiple public keys: An attacker can send a series of public keys, with the intent of misleading the server.
- Authenticating with a different key: Even if the server verifies a specific public key, the attacker can authenticate using a different method entirely (e.g., password, keyboard-interactive).
This misalignment between the presented keys and the actual authentication method can trick vulnerable applications into granting unauthorized access.
Mitigation:
- Upgrade to golang.org/x/crypto v0.31.0 or later: This version includes a critical fix that enforces the use of the last key passed to PublicKeyCallback during successful public key authentication.
- Properly Utilize Permissions: Applications should leverage the Permissions field within authentication callbacks to store and retrieve data relevant to the authentication attempt. Avoid making authorization decisions based on external state or the order of keys presented to PublicKeyCallback.
- Review Third-Party Libraries: If using third-party libraries that interact with golang.org/x/crypto, carefully review their documentation and implementation for potential misuses of PublicKeyCallback and the Permissions field.
Related Posts:
Source: https://securityonline.info/cve-2024-45337-golang-crypto-library-flawed-risks-authorization-bypass