Go SSH Client Channel Rejection Memory Leak Vulnerability

A memory leak vulnerability has been identified in the Go programming language's SSH client, specifically in the 'golang.org/x/crypto/ssh' package, prior to version 0.52.0. This vulnerability arises when an authenticated SSH client repeatedly opens channels that are rejected by the server. The rejected channels are not properly managed, leading to unbounded memory growth. This memory leak can eventually crash the server process, impacting all connected users. The issue has been addressed by ensuring that rejected channels are removed from the connection's internal state and released for garbage collection.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition on the SSH server, leading to a crash of the server process and disruption of service for all connected users.

Reproduction

The vulnerability can be reproduced by an authenticated SSH client that opens multiple channels which the server rejects. This can be done by repeatedly initiating channel requests that are known to be rejected by the server, causing the server to accumulate rejected channels in its internal state.

Remediation

Users can update to Go version 0.52.0 or later, where this vulnerability has been fixed.