Go SSH potential authentication bypass (CVE-2024-45337) #
On December 11th, 2024, the Go Security Team disclosed a potential vulnerability in the Go standard library's implementation of SSH, discovered by the Platform.sh Engineering Team.
The issue, assigned CVE-2024-45337, could result in an authentication bypass or potentially incorrect permissions granted to a remote user when connecting to the SSH server. The issue stems from a common usage pattern of the library, which does not verify or report which of multiple SSH public keys were used for authentication to a server.
Note that this is a vulnerability in the Go standard library's implementation, and thus any product using the standard library to construct an SSH server could be vulnerable. Approximately 19,000 publicly-accessible projects import the relevant package.
Are any updates or workarounds available?
The Go Project has released a new version of Go that partially addresses the issue by making the commonly-misused programming pattern less likely to be used, and offered guidance to programmers on how to more safely use the library.
How to find potentially vulnerable systems with runZero
Because the vulnerable SSH implementation is generally embedded inside other applications, it is not generally possible to determine by filesystem or software examination if the the server is in use. However, runZero's direct scanning of asset services provides a reliable and powerful mechanism to detect what SSH implementations are listening on your network.
From the Software Inventory you can use the following query to locate potentially vulnerable systems:
product:="Go SSH"
