CVE-2020-9283

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions golang.org/x/crypto versions prior to v0.0.0-20200220183623-bac4c82f6975

Description The issue allows a panic during signature verification in the golang.org/x/crypto/ssh package. This can be exploited by a client to attack an SSH server that accepts public keys, or by a server to attack any SSH client. An attacker can craft specific public keys, such as ssh-ed25519 or sk-ssh-ed25519@openssh.com, to cause the library to panic when verifying a signature, potentially leading to a denial of service.

Recommendations For versions prior to v0.0.0-20200220183623-bac4c82f6975, update to v0.0.0-20200220183623-bac4c82f6975 or later to resolve the issue. As a temporary workaround, consider restricting the use of user-supplied public keys for signature verification to minimize the risk of exploitation.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2020-9283

DLA-2402-1

DLA-2453-1

DLA-2455-1

DLA-3455-1

GHSA-FFHG-7MH4-33C4

GO-2020-0012

RHSA-2020:2413

RHSA-2020:3369

Affected Products

Golang.Org/X/Crypto

CVE-2020-9283

Weakness Enumeration

Related Identifiers

Affected Products

References · 36