CVE-2020-29652

Name of the Vulnerable Software and Affected Versions golang.org/x/crypto/ssh versions through v0.0.0-20201203163018-be400aefbc4c

Description A nil pointer dereference in the golang.org/x/crypto/ssh component for Go allows remote attackers to cause a denial of service against SSH servers. An attacker can craft an authentication request message for the gssapi-with-mic method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil. This issue can be exploited by clients to cause a panic in SSH servers.

Recommendations For golang.org/x/crypto/ssh versions through v0.0.0-20201203163018-be400aefbc4c, consider disabling the gssapi-with-mic authentication method until a patch is available to prevent remote attackers from causing a denial of service against SSH servers. Additionally, ensure that ServerConfig.GSSAPIWithMICConfig is properly configured to avoid nil pointer dereferences. At the moment, there is no information about a newer version that contains a fix for this vulnerability.