Vaion-257: vcore SSH server vulnerable to denial-of-service attack

Release Date

27th February 2020.

Overview

A vulnerability in the golang.org/x/crypto/ssh package was published by the Go team (CVE-2020-9283). This allows an attacker to make the vcore SSH server unavailable by connecting to it with a specially crafted public key.

Affected Products

• vcore: Up to and including 1.4.1.

Unaffected Products

• vcam: All versions.
• vcloud: All versions.

Resolution

This issue has been fixed in vcore version 1.4.2. It is recommended that all vcore installations running an affected version upgrade to the latest release as soon as possible.

Vulnerability Information

An attacker can make the vcore SSH server unavailable by connecting to it with a specially crafted ssh-ed25519 or sk-ssh-ed25519@openssh.com public key. It is recommended that the vcore SSH server, served on TCP port 22, is made accessible only over a local network. This may mitigate the impact of this vulnerability.

• CVE: CVE-2020-9283
• CVSSv3 score: 7.5 High
• CVSSv3 vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Acknowledgements

Issue found, and reported to the Go team, by Alex Gaynor, Fish in a Barrel.

Disclosure Timeline

• 20/02/2020 Vulnerability first published by the Go team
• 20/02/2020 Fix identified
• 27/02/2020 Patched vcore released
• 27/02/2020 Vulnerability publicly disclosed