Description
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
EPSS Score:
33%
Comprehensive Technical Analysis of EUVD-2024-3508
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description:
The vulnerability EUVD-2024-3508 pertains to the misuse of the connection.serverAuthenticate function via the ServerConfig.PublicKeyCallback in applications and libraries. This misuse can lead to an authorization bypass, where an attacker can manipulate the order of public keys provided during the SSH authentication process. The PublicKeyCallback may be called multiple times with different keys, and the order does not guarantee which key was used for successful authentication. This can result in incorrect security decisions by applications that rely on the order of keys.
Severity Evaluation:
- Base Score: 9.1
- Base Score Version: 3.1
- Base Score Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
The high base score indicates a critical vulnerability. The attack vector is network-based (AV:N), requires low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The impact on confidentiality and integrity is high (C:H/I:H), while availability is not affected (A:N).
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Network-Based Attacks: An attacker can exploit this vulnerability over the network without needing physical access to the system.
- Man-in-the-Middle (MitM) Attacks: An attacker can intercept and manipulate the SSH authentication process by sending multiple public keys and then authenticating with a key different from the one expected by the application.
Exploitation Methods:
- Key Manipulation: The attacker sends multiple public keys (A and B) and authenticates with key A. The vulnerable application may incorrectly assume that key B was used for authentication, leading to incorrect authorization decisions.
- Bypassing Security Checks: By manipulating the order of keys, the attacker can bypass security checks that rely on the order of keys provided during the authentication process.
3. Affected Systems and Software Versions
Affected Software:
- golang.org/x/crypto/ssh versions prior to 0.31.0
Affected Systems:
- Any system or application that uses the vulnerable versions of the
golang.org/x/crypto/sshlibrary for SSH authentication.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Update to the Latest Version: Upgrade to
golang.org/x/crypto/sshversion 0.31.0 or later, which enforces that the last key passed toServerConfig.PublicKeyCallbackis the key used for authentication. - Patch Management: Ensure that all systems and applications using the affected library are patched and updated to the latest secure version.
Long-Term Mitigation:
- Code Review: Conduct a thorough code review to identify and correct any misuse of the
PublicKeyCallbackand ensure that security decisions are based on the correct authentication key. - Use Extensions Field: Utilize the
Extensionsfield of thePermissionsreturn value from the various authentication callbacks to record data associated with the authentication attempt. - Avoid External State References: Do not rely on external state references for security decisions. Use the
ServerConn.Permissionsfield to retrieve the state corresponding to the successful authentication attempt.
5. Impact on European Cybersecurity Landscape
Impact Assessment:
- Widespread Use: The
golang.org/x/crypto/sshlibrary is widely used in various applications and systems across Europe, making the vulnerability a significant concern. - Critical Infrastructure: Organizations relying on SSH for secure communications, including critical infrastructure, financial institutions, and government agencies, are at risk.
- Compliance and Regulations: Non-compliance with security standards and regulations can result in legal and financial penalties, further emphasizing the need for prompt mitigation.
6. Technical Details for Security Professionals
Technical Analysis:
- API Misuse: The vulnerability arises from the misuse of the
ServerConfig.PublicKeyCallbackAPI, where the order of keys provided does not guarantee which key was used for authentication. - Partial Mitigation: The update to version 0.31.0 enforces that the last key passed to
PublicKeyCallbackis the key used for authentication, but this does not fully mitigate the risk if other authentication methods are used. - Permissions Field: Security professionals should use the
Extensionsfield of thePermissionsreturn value to record authentication-related data and avoid relying on external state references.
References:
- NVD Entry: CVE-2024-45337
- GitHub Commit: b4f1988a35dee11ec3e05d6bf3e90b695fbd8909
- Go Issue Tracker: Issue 70779
- Go Announcement: golang-announce
Conclusion: The vulnerability EUVD-2024-3508 highlights the importance of proper API usage and the need for robust security practices in SSH authentication. Organizations should prioritize updating to the latest secure versions and implementing best practices to mitigate the risk of authorization bypass attacks.