GO-2023-2402

Source

https://pkg.go.dev/vuln/GO-2023-2402

Import Source

https://vuln.go.dev/ID/GO-2023-2402.json

Aliases

Published

2023-12-18T21:18:26Z

Modified

2024-04-26T21:22:33Z

Details

A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware.

The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2MSGEXT_INFO message, disabling a handful of newer security features.

This protocol weakness was also fixed in OpenSSH 9.6.

References

Affected packages

Go / golang.org/x/crypto

Package

Name: golang.org/x/crypto

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.17.0

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/crypto/ssh",
            "symbols": [
                "Client.Dial",
                "Client.DialContext",
                "Client.DialTCP",
                "Client.Listen",
                "Client.ListenTCP",
                "Client.ListenUnix",
                "Client.NewSession",
                "Dial",
                "DiscardRequests",
                "NewClient",
                "NewClientConn",
                "NewServerConn",
                "Request.Reply",
                "Session.Close",
                "Session.CombinedOutput",
                "Session.Output",
                "Session.RequestPty",
                "Session.RequestSubsystem",
                "Session.Run",
                "Session.SendRequest",
                "Session.Setenv",
                "Session.Shell",
                "Session.Signal",
                "Session.Start",
                "Session.WindowChange",
                "channel.Accept",
                "channel.Close",
                "channel.CloseWrite",
                "channel.Read",
                "channel.ReadExtended",
                "channel.Reject",
                "channel.SendRequest",
                "channel.Write",
                "channel.WriteExtended",
                "connectionState.readPacket",
                "connectionState.writePacket",
                "curve25519sha256.Client",
                "curve25519sha256.Server",
                "dhGEXSHA.Client",
                "dhGEXSHA.Server",
                "dhGroup.Client",
                "dhGroup.Server",
                "ecdh.Client",
                "ecdh.Server",
                "extChannel.Read",
                "extChannel.Write",
                "handshakeTransport.enterKeyExchange",
                "handshakeTransport.readLoop",
                "handshakeTransport.sendKexInit",
                "mux.OpenChannel",
                "mux.SendRequest",
                "sessionStdin.Close",
                "sshClientKeyboardInteractive.Challenge",
                "tcpListener.Accept",
                "tcpListener.Close",
                "transport.readPacket",
                "transport.writePacket",
                "unixListener.Accept",
                "unixListener.Close"
            ]
        }
    ]
}