Go crypto/tls Library Session Resumption Trust Anchor Bypass Vulnerability

A vulnerability exists in the Go programming language's crypto/tls library, specifically in versions prior to 1.24.13, between 1.25.0-0 and 1.25.7, and in the 1.26.0-rc.1 prior to 1.26.0-rc.3. During session resumption, if the Config's ClientCAs or RootCAs fields are changed between the initial and resumed handshakes, the resumption may incorrectly succeed. This issue can arise when Config.Clone is used to create a mutable copy of the configuration or when Config.GetConfigForClient is called. As a result, a client or server may resume a session under conditions that would have been rejected during the original handshake, leading to potential authentication bypass.

Impact

Exploiting this vulnerability can cause a trust anchor bypass, allowing sessions to be resumed inappropriately and potentially bypassing authentication requirements.

Reproduction

To reproduce this vulnerability, first establish a TLS connection using a Config that includes specific ClientCAs or RootCAs. Then, clone the Config or use Config.GetConfigForClient' to create a new configuration that modifies the authentication parameters. When a session is resumed with this altered configuration, the handshake may succeed, despite not meeting the original authentication requirements.

Remediation

Users can update to Go versions 1.25.7 or 1.24.13, both of which include the necessary fix. After updating, it's important to review the application's use of Config.Clone and Config.GetConfigForClient to ensure that session resumption behaves as expected.