CVE-2019-17596

Q: What is the severity of CVE-2019-17596?

CVE-2019-17596 has a CVSS score of 7.5 (HIGH). A vulnerability in Go's crypto/dsa package causes a panic when processing network traffic containing invalid DSA public keys. This can lead to denial of service attacks against servers that verify client certificates or process DSA-signed traffic. Affects Go applications and services using DSA cryptography.

7.5 HIGH

Denial of Service

📋 TL;DR

A vulnerability in Go's crypto/dsa package causes a panic when processing network traffic containing invalid DSA public keys. This can lead to denial of service attacks against servers that verify client certificates or process DSA-signed traffic. Affects Go applications and services using DSA cryptography.

💻 Affected Systems

Products:

Go programming language
Applications built with Go using crypto/dsa

Versions: Go 1.12.x before 1.12.11, Go 1.13.x before 1.13.2

Operating Systems: All platforms running affected Go versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using DSA cryptography for certificate verification or signatures

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote denial of service causing service crashes and availability impact on internet-facing services

🟠

Likely Case

Service disruption through crafted network traffic causing panic and restart

🟢

If Mitigated

Limited impact with proper monitoring and automatic restart mechanisms

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted network traffic to vulnerable services

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.12.11 or Go 1.13.2

Vendor Advisory: https://github.com/golang/go/issues/34960

Restart Required: Yes

Instructions:

1. Update Go installation to 1.12.11 or 1.13.2. 2. Recompile all Go applications with updated version. 3. Restart affected services.

🔧 Temporary Workarounds

Disable DSA certificate verification

all

Configure services to not use DSA certificates for client verification

Network filtering

all

Block or filter traffic containing DSA certificates at network perimeter

🧯 If You Can't Patch

Implement rate limiting and monitoring for service crashes
Use load balancers with health checks and automatic failover

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version' command and verify if within affected range

Check Version:

go version

Verify Fix Applied:

Confirm Go version is 1.12.11+ or 1.13.2+ and test with known invalid DSA key

📡 Detection & Monitoring

Log Indicators:

Go panic logs mentioning crypto/dsa
Service crashes during TLS handshake

Network Indicators:

Unusual traffic patterns with DSA certificates
Repeated connection attempts to TLS services

SIEM Query:

source="application.log" AND "panic" AND "crypto/dsa"

📊 Metadata

CVE ID: CVE-2019-17596

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-436

Published: October 24, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0101 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0329 Third Party Advisory
https://github.com/golang/go/issues/34960 Exploit,Issue Tracking,Patch,Third Party Advisory
https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VS3HPSE25ZSGS4RSOTADC67YNOHIGVV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVOWGM7IQGRO7DS2MCUMYZRQ4TYOZNAS/
https://security.netapp.com/advisory/ntap-20191122-0005/ Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/10134-security-advisory-46 Third Party Advisory
https://www.debian.org/security/2019/dsa-4551 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0101 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0329 Third Party Advisory
https://github.com/golang/go/issues/34960 Exploit,Issue Tracking,Patch,Third Party Advisory
https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VS3HPSE25ZSGS4RSOTADC67YNOHIGVV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVOWGM7IQGRO7DS2MCUMYZRQ4TYOZNAS/
https://security.netapp.com/advisory/ntap-20191122-0005/ Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/10134-security-advisory-46 Third Party Advisory
https://www.debian.org/security/2019/dsa-4551 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cloudvision Portal by Arista

Cloudvision Portal by Arista

Cloudvision Portal by Arista

Cloudvision Portal by Arista

Debian Linux by Debian

Debian Linux by Debian

Developer Tools by Redhat

Enterprise Linux by Redhat

Enterprise Linux Server by Redhat

Eos by Arista

Fedora by Fedoraproject

Fedora by Fedoraproject

Go by Golang

Go by Golang

Leap by Opensuse

Leap by Opensuse

Mos by Arista

Terminattr by Arista

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable DSA certificate verification

Network filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities