Miggo Logo
Miggo Vulnerability Database
CVE-2017-3204

CVE-2017-3204: golang.org/x/crypto/ssh Man-in-the-Middle attack

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2017-3204
GHSA ID
GHSA-xhjq-w7xm-p8qj
EPSS Score
0.84206%
CWE
-
Published
2/7/2023
Updated
4/19/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
golang.org/x/cryptogo< 0.0.0-20170330155735-e4e2799dd7aa0.0.0-20170330155735-e4e2799dd7aa

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from ClientConfig.HostKeyCallback defaulting to nil, which prior to commit e4e2799 meant accepting any host key. The NewClientConn function (called by Dial) contained the critical security check logic. The commit diff shows explicit validation was added to NewClientConn to reject nil HostKeyCallback, confirming these were the entry points for insecure connections. Both functions became safe only after forcing explicit host key verification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *o SS* li*r*ry (*ol*n*.or*/x/*rypto/ss*) *y ****ult *o*s not v*ri*y *ost k*ys, ***ilit*tin* m*n-in-t**-mi**l* *tt**ks i* *li*nt*on*i*.*ostK*y**ll***k is not s*t. ****ult ****vior ***n*** in *ommit ******* to r*quir* *xpli*itly r**ist*rin* * *ostk

Reasoning

T** vuln*r**ility st*mm** *rom `*li*nt*on*i*.*ostK*y**ll***k` ****ultin* to nil, w*i** prior to *ommit ******* m**nt ****ptin* *ny *ost k*y. T** `N*w*li*nt*onn` *un*tion (**ll** *y `*i*l`) *ont*in** t** *riti**l s**urity ****k lo*i*. T** *ommit *i**