Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2019-17596

Published: 24/10/2019 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Go

Vulnerability Summary

Go prior to 1.12.11 and 1.3.x prior to 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

golang go

debian debian linux 9.0

debian debian linux 10.0

fedoraproject fedora 30

fedoraproject fedora 31

redhat enterprise linux 8.0

redhat developer tools 1.0

redhat enterprise linux server 8.1

opensuse leap 15.0

opensuse leap 15.1

arista mos

arista eos

arista cloudvision portal 2019.1.2

arista cloudvision portal 2019.1.1

arista cloudvision portal 2019.1.0

arista cloudvision portal

arista terminattr

Vendor Advisories

Red Hat: Moderate: go-toolset-1.12-golang security update
Synopsis Moderate: go-toolset-112-golang security update Type/Severity Security Advisory: Moderate Topic An update for go-toolset-112 and go-toolset-112-golang is now available for Red Hat Developer ToolsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vul ...
Red Hat: Moderate: go-toolset:rhel8 security update
Synopsis Moderate: go-toolset:rhel8 security update Type/Severity Security Advisory: Moderate Topic An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring ...
Debian CVElist Bug Report Logs: golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify
Debian Bug report logs - #942628 golang-113: CVE-2019-17596: invalid public key causes panic in dsaVerify Package: src:golang-113; Maintainer for src:golang-113 is Go Compiler Team <team+go-compiler@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 19 Oct 2019 06:27:01 UTC Seve ...
Debian Security Advisories: DSA-4551-1 golang-1.11 -- security update
Daniel Mandragona discovered that invalid DSA public keys can cause a panic in dsaVerify(), resulting in denial of service For the stable distribution (buster), this problem has been fixed in version 1116-1+deb10u3 We recommend that you upgrade your golang-111 packages For the detailed security status of golang-111 please refer to its secur ...
Arch Linux Issues:
Invalid DSA public keys can cause a panic in dsaVerify In particular, using crypto/x509Verify on a crafted X509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates net/htt ...

Github Repositories

https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596

Demonstration of Go's dsa.Verify bug (CVE-2019-17596)

Exploiting dsaVerify in Go (CVE-2019-17596) Please see the associated blog post for details Running Since versions of Go newer than 1131 are patched, I;ve included a Dockerfile, that makes it easier to pin your Go version Simply run Docker build: docker build There are two files of interest: dsa_testgo: Contains a test case for

References

CWE-436https://github.com/golang/go/issues/34960https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJhttps://www.debian.org/security/2019/dsa-4551http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.htmlhttps://security.netapp.com/advisory/ntap-20191122-0005/https://access.redhat.com/errata/RHSA-2020:0101https://access.redhat.com/errata/RHSA-2020:0329https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlhttps://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlhttps://www.arista.com/en/support/advisories-notices/security-advisories/10134-security-advisory-46https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VS3HPSE25ZSGS4RSOTADC67YNOHIGVV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVOWGM7IQGRO7DS2MCUMYZRQ4TYOZNAS/https://access.redhat.com/errata/RHSA-2020:0101https://nvd.nist.govhttps://github.com/pquerna/poc-dsa-verify-CVE-2019-17596https://www.debian.org/security/2019/dsa-4551
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3400CVE-2023-7252CVE-2024-21111denial of serviceCVE-2024-29661CVE-2024-22856remote attackersencryptionCVE-2023-38299
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook