Improper authorization in Go Crypto package

1) Improper authorization

EUVDB-ID: #VU101777

Risk: Medium

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-45337

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

crypto: 0.0.0-0.20190320223903-b7391e95e576 - 0.30.0

CPE2.3

• cpe:2.3:a:google:crypto:0.0.0-0.20190320223903-b7391e95e576:*:*:*:*:*:*:*
• cpe:2.3:a:google:crypto:0.0.0-20190308221718-c2843e01d9a2:*:*:*:*:*:*:*
• cpe:2.3:a:google:crypto:0.0.0-20190325154230-a5d413f7728c:*:*:*:*:*:*:*

External links

https://www.openwall.com/lists/oss-security/2024/12/11/2
https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909
https://go.dev/cl/635315
https://go.dev/issue/70779
https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ
https://pkg.go.dev/vuln/GO-2024-3321
https://github.com/advisories/GHSA-v778-237x-gjrc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.