CVE-2017-3204 — Man-in-the-middle attack in golang.org/x/crypto/ssh

Description

The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

How to fix CVE-2017-3204

To remediate CVE-2017-3204, upgrade the affected package to a fixed version below.

Debian/golang-go.crypto—upgrade to 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1 or later
—upgrade to 0.0.0-20170330155735-e4e2799dd7aa or later
—upgrade to 0.0.0-20170330155735-e4e2799dd7aa or later

Is CVE-2017-3204 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1
from 0, < 0.0.0-20170330155735-e4e2799dd7aa
from 0, < 0.0.0-20170330155735-e4e2799dd7aa

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-3204
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-3204
WEBbridge.grumpy-troll.org/2017/04/golang-ssh-security
WEBbridge.grumpy-troll.org/2017/04/golang-ssh-security/