Описание
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
A flaw in golang.org/x/crypto/ssh/agent causes the SSH agent client to panic when a peer responds with the generic SSH_AGENT_SUCCESS (0x06) message to requests expecting typed replies (e.g., List, Sign). The unmarshal layer produces an unexpected message type, which the client code does not handle, leading to panic("unreachable") or a nil-pointer dereference. A malicious agent or forwarded connection can exploit this to terminate the client process.
Отчет
This vulnerability was marked as Important because it allows any malicious or misbehaving SSH agent to force a crash in the client process using a single valid protocol byte. The panic occurs before the client has a chance to validate message structure or recover, which means an attacker controlling—or intercepting—SSH agent traffic can reliably terminate processes that rely on agent interactions. In environments where SSH agents operate over forwarded sockets, shared workspaces, or CI/CD runners, this turns into a reliable, unauthenticated remote denial of service against critical automation or developer tooling. The flaw also stems from unsafe assumptions in the unmarshalling logic, where unexpected but protocol-legal message types drop into “unreachable” code paths instead of being handled gracefully—making it a design-level reliability break rather than a simple error-handling bug. For this reason, it is rated as an important availability-impacting vulnerability rather than a moderate issue.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/external-secrets-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/cluster-image-set-controller-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/cluster-image-set-controller-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hive-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hive-rhel9 | Affected | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-agent-base-rhel9 | Affected | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel8 | Affected | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel9 | Affected | ||
| OpenShift Developer Tools and Services | openshift4/ose-jenkins | Affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-plugin-func-func-util-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
Potential denial of service in golang.org/x/crypto/ssh/agent
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed respons ...
EPSS
7.5 High
CVSS3