How to fix CVE-2024-45337 – Step-by-Step Guide
CVE-2024-45337 addresses a critical vulnerability in the Go standard library's crypto/ssh package. This flaw, named 'Misuse of ServerConfig.PublicKeyCallback', could lead to unauthorized SSH authentication bypass. Published on December 11, 2024, it carries a CVSS score of 9.1.
What is Go crypto/ssh – Misuse of ServerConfig.PublicKeyCallback?
CVE-2024-45337 is a logic flaw in Go's crypto/ssh ServerConfig.PublicKeyCallback. It allows applications to incorrectly authorize SSH connections. The vulnerability occurs when the callback approves a key, but the actual authentication fails, yet the connection proceeds. This bypasses critical security checks in the SSH authentication flow, leading to unauthorized access.
Impact and Risks for your Infrastructure
The primary impact is an unauthorized SSH authentication bypass in affected Go applications. Attackers can exploit this flaw to authenticate to SSH servers using any public key, even if not properly authorized. This can lead to unauthorized access to sensitive systems, data breaches, and potential compromise of infrastructure, posing a significant security risk.
Step-by-Step Mitigation Guide
To mitigate CVE-2024-45337, update your Go installations to versions 1.22.10 or 1.23.4, or newer. These versions contain the necessary fix for the crypto/ssh package. After updating, verify your application's SSH server functionality to ensure proper authentication behavior and confirm the vulnerability is no longer present.
- 1Upgrade Go to 1.22.10+ or 1.23.4+.
- 2Review your PublicKeyCallback implementation to ensure it rejects unauthorized keys.
- 3Add explicit key allowlist validation inside PublicKeyCallback.
- 4Rotate SSH host keys and audit SSH access logs for anomalies.
- 5Run static analysis (govulncheck) to detect usage of vulnerable patterns.
- 6Pin allowed public keys in your callback rather than relying on post-callback checks.