CVE-2017-3204

Name of the Vulnerable Software and Affected Versions golang.org/x/crypto/ssh versions prior to the version that includes commit e4e2799

Description The issue is related to the default behavior of the Go SSH library, which does not verify host keys. This facilitates man-in-the-middle attacks if the ClientConfig.HostKeyCallback is not set. The lack of host key verification allows a remote attacker to execute a man-in-the-middle attack.

Recommendations For versions prior to the one including commit e4e2799, consider explicitly registering a hostkey verification mechanism by setting ClientConfig.HostKeyCallback to prevent man-in-the-middle attacks. As a temporary workaround, ensure that ClientConfig.HostKeyCallback is set for all SSH client configurations to minimize the risk of exploitation.