CVE-2021-43565 The golang.org/x/crypto package has an attacker-known-vulnerability that can cause a server to reboot.

This issue occurs due to a race condition in the parsing of SSH_MSG_CHANNEL_GROUP_NOTIF from one of the messages, which can be exploited to cause a panic. An attacker can send a malformed message to the client, which will trigger a parsing race condition and result in a panic. This can be done by sending an invalid SSH message. A possible attack scenario is when a web application receives a malformed request from a malicious user, it can be redirected to another website on the same host and malformed requests received by the remote website can be exploited. Note that this issue does not affect the majority of servers and only affects those using the OpenSSH protocol.

Vulnerability Scenario

The vulnerability is based on a race condition in the parsing of SSH_MSG_CHANNEL_GROUP_NOTIF from one of the messages, which can be exploited to cause a panic. An attacker can send a malformed message to the client, which will trigger a parsing race condition and result in a panic. This can be done by sending an invalid SSH message. A possible attack scenario is when a web application receives a malformed request from a malicious user, it can be redirected to another website on the same host and malformed requests received by the remote website can be exploited. Note that this issue does not affect the majority of servers and only affects those using the OpenSSH protocol.

Fix for CVE-2021-43565

OpenSSH version 6.6 and later are not vulnerable to this issue, because the message is validated before the channel group allocation.

CVE-2022-43566

This issue is a result of a race condition in the handling of SSH_MSG_CHANNEL_GROUP_NOTIF messages. An attacker can send a malformed message to the client that will trigger a parsing race condition and result in a panic. This can be done by sending an invalid SSH message. A possible attack scenario is when a web application receives a malformed request from a malicious user, it can be redirected to another website on the same host and malformed requests received by the remote website can be exploited.
Affected products/software versions:
* OpenSSH 6.7p1-p1
* OpenSSH 6.6
* OpenSSH 6.5p1
* OpenSSH 7.2, 7.3 and 7.4

Vulnerable Range of Systems

This vulnerability affects servers using the OpenSSH protocol, such as PuTTY, SecureCRT, and many other SSH clients.5 A client can send a malformed message to the server and exploit this vulnerability. This is a race condition that occurs during parsing of SSH_MSG_CHANNEL_GROUP_NOTIF messages. The race condition can be exploited by sending an invalid SSH message, which will trigger a parser panic resulting in denial of service.

Timeline

Published on: 09/06/2022 18:15:00 UTC
Last modified on: 09/09/2022 03:38:00 UTC

References

• https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs
• https://groups.google.com/forum/#!forum/golang-announce
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43565