Golang SSH Agent Client Panic on SSH_AGENT_SUCCESS Response

A denial-of-service vulnerability has been identified in the SSH agent client of the Golang crypto library, specifically in versions prior to 0.43.0. When the client receives an SSH_AGENT_SUCCESS response while expecting a different type of reply, it panics, leading to an unexpected termination of the client process. This issue can be triggered by a malicious or malfunctioning SSH agent that sends a well-formed success reply to requests that require specific response types.

Impact

Exploitation of this vulnerability causes a panic in the SSH client, disrupting the process and potentially leading to a segmentation violation.

Reproduction

The vulnerability can be reproduced by setting up an SSH agent server that responds with SSH_AGENT_SUCCESS to any request. When the client interacts with this server, it will panic due to the unexpected response type. This can be done by creating a TCP server that listens for SSH agent protocol messages, reads the response, and sends back a success reply. The client can then be made to call methods that expect typed responses, such as List() or Sign(), which will trigger the panic.

Remediation

Users can update to Golang crypto library version 0.43.0 or later, where this issue has been fixed.