Google Go, OpenSSH Both Need Prompt Patching for Encryption Leaks – InApps 2022

A newly-discovered flaw in the Google Go math package could, in some rare circumstances, provide access to private keys on the server upon which it runs.

While exploiting this vulnerability would be difficult, “everyone is strongly encouraged to upgrade,” wrote Google Go product manager Jason Buberel, in a golang-dev mailing list message announcing the release of the corrected Go, version 1.53.

The bug, hiding inside the math/big package, was introduced in  Go 1.5. It can affect RSA computations run by crypto/rsa, which is called by crypto/tls library. Other protocol implementations that use crypto/rsa may be affected as well. 

Go programs compiled with Go 1.5 that relied on the crypto/rsa package should also be recompiled, Google said.

The issue stems from one of the computations offered by the package, the RSA Chinese Remainder, that can occasionally leak one of the primes of the private key.

On 32-bit systems, this will only happen, randomly, around one in 2^26 times. Still, Buberel estimated that a malicious user could extract the entire private key by requesting about 64 million public signatures from an infected server.

On 64-bit systems, the bug may show itself 2^50, times, making it too difficult to exploit, Buberel reckoned.

“For folks who are using Go this vulnerability is very critical, as TLS servers on 32-bit systems could leak their RSA private keys. Private keys are literally the keys to the kingdom and that puts this vulnerability in the league of Heartbleed,” e-mailed Amol Sarwate, director of engineering and head of vulnerability research for IT security firm Qualys.

See for CVE-2015-8618 more information. Downloads of the fixed Go can be found here and instructions for fixing by way of the command line can be found here and here.

If you’re running the OpenSSH secure shell client on your machines, you need to be a patchin’ too.

OpenBSD Theo de Raadt first brought light to the flaw early Thursday morning in a mailing list announcement. The flaw affects OpenSSH in all operating systems, from version 5.4 to 7.1.

“This is the most serious bug you’ll hear about this week,” warned OpenBSD editor T.J. on Thursday.

“Since SSH is often used to automate system administration processes, getting a such a private key would provide very broad access to an infrastructure,” warned Wolfgang Kandek, CTO of Qualys, in a statement.

This flaw stems from an unfinished feature, according to Qualys. Since 2010, the OpenSSH client has supported an undocumented and unfinished feature called roaming which would have allowed the client to automatically reconnect to the server should the connection unexpectedly break.

Though support was never actually added to the OpenSSH server software, the client has been enabled the feature by default.

Theo de Raadt highlighted two vulnerabilities in the client software. One flaw could leak information from the machines working memory. Depending on the client’s version, compiler, and operating system, the client software could be probed by a malicious SSH server to steal the client’s private keys.

Such attacks may have already happened, Qualys speculated. As a precaution, the company is recommending that users regenerate their SSH keys.

The second flaw, a buffer overflow issue, is unlikely to have any real-world impact, Qualys advised, given that it requires a number of non-default options to be set, a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X).

Various versions of the software for different OSes have been or are currently being updated. For those installments that can’t readily be updated, de Raadt advises shutting off the roaming feature manually, either by adding to “UseRoaming no” to the ssh_config file or by adding “-oUseRoaming=no” to the command to call the software.

More information can be found for the memory leak at CVE-2016-0777, and for the buffer overflow at CVE-2016-0778.

Feature Image: Go Gopher via Golang.