#VU69451 Man-in-the-Middle (MitM) attack in crypto


Published: 2022-11-21

Vulnerability identifier: #VU69451

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3204

CWE-ID: CWE-300

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
crypto
Universal components / Libraries / Libraries used by multiple products

Vendor:

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to Go Crypto library does not verify host keys. A remote attacker can perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
http://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
http://github.com/golang/go/issues/19767
http://godoc.org/golang.org/x/crypto/ssh

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data
IBM CICS TX update for golang
MitM attack in Go Crypto