CVE-2024-45337: Golang Crypto Library Flawed, Risks Authorization Bypass

CVE-2024-45337

A critical security vulnerability, tracked as CVE-2024-45337 (CVSS 9.1), has been discovered in the Golang cryptography library. This flaw stems from the misuse of the ServerConfig.PublicKeyCallback function, potentially leading to authorization bypasses in applications and libraries.

The Root of the Problem:

The PublicKeyCallback function is designed to allow servers to verify the authenticity of public keys offered by clients during SSH connections. However, the documentation explicitly states that this callback does not guarantee the actual key used for authentication.

The vulnerability arises when applications incorrectly rely on the order or content of keys presented to PublicKeyCallback to make authorization decisions. Attackers can exploit this by:

  1. Presenting multiple public keys: An attacker can send a series of public keys, with the intent of misleading the server.
  2. Authenticating with a different key: Even if the server verifies a specific public key, the attacker can authenticate using a different method entirely (e.g., password, keyboard-interactive).

This misalignment between the presented keys and the actual authentication method can trick vulnerable applications into granting unauthorized access.

Mitigation:

  • Upgrade to golang.org/x/crypto v0.31.0 or later: This version includes a critical fix that enforces the use of the last key passed to PublicKeyCallback during successful public key authentication.
  • Properly Utilize Permissions: Applications should leverage the Permissions field within authentication callbacks to store and retrieve data relevant to the authentication attempt. Avoid making authorization decisions based on external state or the order of keys presented to PublicKeyCallback.
  • Review Third-Party Libraries: If using third-party libraries that interact with golang.org/x/crypto, carefully review their documentation and implementation for potential misuses of PublicKeyCallback and the Permissions field.

Related Posts: