Vulnerability in golang.org/x/crypto/ssh package has been fixed
Recently Joern Schneeweisz of GitLab Security Research Team discovered a bug in Go language crypto/ssh package.
The ability to trigger the gssapi-with-mic
authentication method is not properly guarded when GSSAPIWithMICConfig
field of the ServerConfig type is nil.
If this field is not set and a client sends a gssapi-with-mic
request, regardless of if the server advertises it, the server will panic.
The Version v0.0.0-20201216223049-8b5274cf687f of golang.org/x/crypto fixes this vulnerability in the golang.org/x/crypto/ssh package.
Here is the complete details regarding the fix.
https://github.com/golang/crypto/commit/8b5274cf687fd9316b4108863654cc57385531e8
if config.GSSAPIWithMICConfig == nil {
authErr = errors.New("ssh: gssapi-with-mic auth not configured")
break;
}
With the above fix, the package will dissallow the request to call gssapi-with-mic
if GSSAPIWithMICConfig
is not set.