VAION-257: vcore SSH server vulnerable to denial-of-service attack
27th February 2020.
A vulnerability in the golang.org/x/crypto/ssh package was published by the Go team (CVE-2020-9283). This allows an attacker to make the vcore SSH server unavailable by connecting to it with a specially crafted public key.
- vcore: Up to and including 1.4.1.
- vcam: All versions.
- vcloud: All versions.
This issue has been fixed in vcore version 1.4.2.
It is recommended that all vcore installations running an affected version upgrade to the latest release as soon as possible.
An attacker can make the vcore SSH server unavailable by connecting to it with a specially crafted ssh-ed25519 or email@example.com public key.
It is recommended that the vcore SSH server, served on TCP port 22, is made accessible only over a local network. This may mitigate the impact of this vulnerability.
- CVE: CVE-2020-9283
- CVSSv3 score: 7.5 High
- CVSSv3 vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Issue found, and reported to the Go team, by Alex Gaynor, Fish in a Barrel.
- 20/02/2020 Vulnerability first published by the Go team
- 20/02/2020 Fix identified
- 27/02/2020 Patched vcore released
- 27/02/2020 Vulnerability publicly disclosed