PT-2017-4225 · Go · Golang.Org/X/Crypto/Ssh
Phil Pennock
·
Published
2017-04-04
·
Updated
2026-01-22
·
CVE-2017-3204
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
golang.org/x/crypto/ssh versions prior to the version that includes commit e4e2799
Description
The issue is related to the default behavior of the Go SSH library, which does not verify host keys. This facilitates man-in-the-middle attacks if the ClientConfig.HostKeyCallback is not set. The lack of host key verification allows a remote attacker to execute a man-in-the-middle attack.
Recommendations
For versions prior to the one including commit e4e2799, consider explicitly registering a hostkey verification mechanism by setting ClientConfig.HostKeyCallback to prevent man-in-the-middle attacks. As a temporary workaround, ensure that ClientConfig.HostKeyCallback is set for all SSH client configurations to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Golang.Org/X/Crypto/Ssh