Skip to content

Instantly share code, notes, and snippets.

@nyxfqq
Last active July 3, 2024 08:20
Show Gist options
  • Save nyxfqq/a7242170b1118e78436a62dee4e09e8a to your computer and use it in GitHub Desktop.
Save nyxfqq/a7242170b1118e78436a62dee4e09e8a to your computer and use it in GitHub Desktop.
CVE-2024-39223
[Suggested description]
An authentication bypass in the SSH service of gost v2.11.5 allows
attackers to intercept communications via a man-in-the-middle attack.
------------------------------------------
[VulnerabilityType Other]
CWE305
------------------------------------------
[Vendor of Product]
https://github.com/ginuerzh/gost
------------------------------------------
[Affected Product Code Base]
gost - <=2.11.5
------------------------------------------
[Affected Component]
local/remote TCP port forwarding.
Integrity of transmission messages
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
An attacker could potentially exploit this vulnerability by intercepting SSH connections and performing man-in-the-middle (MITM) attacks without being detected due to the skipping of host fingerprint verification.
---
Description:
Specifically, in the file `github.com/ginuerzh/gost/ssh.go` at line 229, there is a critical configuration that bypasses host key verification, potentially exposing systems to Man-in-the-Middle (MitM) attacks.
The relevant code snippet is as follows:
config := ssh.ClientConfig{
Timeout: timeout,
HostKeyCallback: ssh.InsecureIgnoreHostKey(), // This line disables host key verification
}
This configuration sets `HostKeyCallback` to `ssh.InsecureIgnoreHostKey()`, which effectively disables host key verification during the SSH connection establishment. As a result, any server's host key is accepted without validation, making it impossible for `gost` to ensure that it is connecting to the intended and trusted server.
Potential Impact:
Disabling host key verification significantly weakens the security of SSH connections managed by `gost`. An attacker could exploit this vulnerability by intercepting the SSH connection and presenting a forged host key, thereby enabling them to perform MitM attacks. This could lead to the theft of sensitive data, unauthorized access to systems, or the execution of malicious actions on behalf of legitimate users.
Suggested Solution:
To mitigate this risk, I recommend implementing a secure host key verification mechanism. This could involve using a known host key, or if dynamic host keys are expected, storing and comparing fingerprints against a list of trusted keys. The `HostKeyCallback` should be updated to use a callback function that checks the host key against a list of known or trusted keys.
For instance, the `HostKeyCallback` could be replaced with:
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
// Implement your host key verification logic here
// Return nil if the host key is trusted, otherwise return an error
},
------------------------------------------
[Discoverer]
YueXi Zhang
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment