Gao Hongtao

**Name of the Vulnerable Software and Affected Versions** golang.org/x/crypto/ssh versions through v0.0.0-20201203163018-be400aefbc4c **Description** A nil pointer dereference in the golang.org/x/crypto/ssh component for Go allows remote attackers to cause a denial of service against SSH servers. An attacker can craft an authentication request message for the `gssapi-with-mic` method which will cause NewServerConn to panic via a nil pointer dereference if `ServerConfig.GSSAPIWithMICConfig` is nil. This issue can be exploited by clients to cause a panic in SSH servers. **Recommendations** For golang.org/x/crypto/ssh versions through v0.0.0-20201203163018-be400aefbc4c, consider disabling the `gssapi-with-mic` authentication method until a patch is available to prevent remote attackers from causing a denial of service against SSH servers. Additionally, ensure that `ServerConfig.GSSAPIWithMICConfig` is properly configured to avoid nil pointer dereferences. At the moment, there is no information about a newer version that contains a fix for this vulnerability.