Bug 1908883 (CVE-2020-29652)
| Summary: | CVE-2020-29652 golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acui, agarcial, alcohan, ALEXANDER.HOPPE, amurdaca, aos-bugs, aos-storage-staff, bbaude, bbennett, blaise, bmontgom, btofel, container-sig, debarshir, dfreiber, dougsland, dramseur, drow, dwalsh, ebakerupw, eparis, extras-orphan, fdeutsch, gghezzo, gmalinko, gparvin, hchiramm, hvyas, jakubr, janstey, jburrell, jcantril, jchaloup, jhunter, jligon, jmulligan, jnovy, jokerman, jramanat, jweiser, jwendell, kconner, kmitts, lsm5, madam, mcooper, mgala, mheon, mjudeiki, mrajanna, njean, nobody, nstielau, owatkins, pahickey, pdelbell, pehunt, phoracek, pthomas, puebele, rcernich, rhaigner, rh.container.bot, rhs-bugs, rogbas, rphillips, rstepani, santiago, sd-operator-metering, sgott, sponnaga, stcannon, stirabos, storage-qa-internal, tcullum, thee, tsmetana, tsweeney, twalsh, umohnani, vkumar, xxia |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f | Doc Type: | If docs needed, set a value |
| Doc Text: |
A null pointer dereference vulnerability was found in golang. When using the library's ssh server without specifying an option for GSSAPIWithMICConfig, it is possible for an attacker to craft an ssh client connection using the `gssapi-with-mic` authentication method and cause the server to panic resulting in a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-24 19:02:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1909938, 1909939, 1909967, 1909968, 1909969, 1909970, 1909971, 1909972, 1909973, 1909974, 1910038, 1910059, 1910181, 1910222, 1910223, 1910224, 1910225, 1910226, 1910227, 1910228, 1910229, 1910230, 1910231, 1910232, 1910233, 1910234, 1910235, 1910238, 1910239, 1910240, 1910241, 1910242, 1910243, 1910244, 1910245, 1910246, 1910247, 1910248, 1910249, 1910250, 1910251, 1910252, 1910253, 1910254, 1910255, 1910256, 1910257, 1910258, 1910440, 1910444, 1910447, 1910448, 1927094, 1927095 | ||
| Bug Blocks: | 1908884 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-12-17 19:29:59 UTC
External References: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1 In general a majority of components depend on golang.org/x/crypto however to be considered affected here they must actually depend on golang.org/x/crypto/ssh and thus compile in crypto/ssh/server.go. If the component depends on golang.org/x/crypto/ssh/terminal only, then it is not considered here as the affected code is not compiled in. Depending on crypto/ssh/terminal will not compile in crypto/ssh/server.go. Two ways to confirm this, 1. if using go mod, using `go list` will take this into account and not report crypto/ssh as a dependency even if used only in test, or 2, inspecting the binary with strings and looking for the file crypto/ssh/server.go. Gopkg, I've not found an easy way to use it, have to only rely on it being present in the vendor directory. Statement: A large number of products include the affected package, but do not make use of the vulnerable SSH server code. Accordingly, the flaw itself is rated as "Important", but these products themselves all have a "Low" severity rating. Additionally, a number of products include golang.org/x/crypto (or even golang.org/x/crypto/ssh/terminal) but not specifically golang.org/x/crypto/ssh/server.go in the final build. As this would result in a very large number of entries of not affected products, only products which include the ssh server code (golang.org/x/crypto/ssh/server.go) have been represented here. Red Hat Enterprise Linux 8 container-tools:rhel8/containernetworking-plugins is not affected because although it uses some functionality from golang.org/x/crypto, it does not use or import anything from golang.org/x/crypto/ssh/*. Created gomtree tracking bugs for this issue: Affects: fedora-all [bug 1927095] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1927094] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-29652 This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1796 https://access.redhat.com/errata/RHSA-2021:1796 This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920 |