{"id":"GHSA-c279-989m-238f","summary":"Sliver: Nil Pointer Dereference in tunnelCloseHandler causes panic when a reverse tunnel (rportfwd) close is attempted","details":"### Summary\nA nil pointer dereference in `tunnelCloseHandler` causes the handler goroutine to panic whenever a reverse tunnel (rportfwd) close is attempted. Both the legitimate close path AND the unauthorized close path dereference `tunnel.SessionID` where `tunnel` is guaranteed nil. This means rportfwd tunnels can never be cleanly closed, and any authenticated implant can trigger repeated goroutine panics.\n\n### Details\nFile: `server/handlers/sessions.go` lines 172 and 175\n\nThe function enters an `else` block precisely because `core.Tunnels.Get(tunnelData.TunnelID)` returned `nil`. Both conditions inside that else block then dereference `tunnel.SessionID` instead of `rtunnel.SessionID`:\n```go\n} else {\n rtunnel := rtunnels.GetRTunnel(tunnelData.TunnelID)\n\n if rtunnel != nil && session.ID == tunnel.SessionID { // LINE 172 — nil deref\n rtunnel.Close()\n rtunnels.RemoveRTunnel(rtunnel.ID)\n } else if rtunnel != nil && session.ID != tunnel.SessionID { // LINE 175 — nil deref\n sessionHandlerLog.Warnf(\"...\")\n }\n}\n```\n\nNote: The identical bug was already fixed in `tunnelDataHandler` at lines 124/126 (correctly uses `rtunnel.SessionID`), but the fix was \nnot applied to `tunnelCloseHandler`.\n\n### PoC\n```go\ntunnel := GetTunnel(999) // returns nil — no normal tunnel with this ID\n// tunnel is nil here\n\nrtunnel := GetRTunnel(999) // returns valid rtunnel owned by session-AAAA\n\n// Both lines below panic with:\n// runtime error: invalid memory address or nil pointer dereference\nif rtunnel != nil && sessionID == tunnel.SessionID { ... } // line 172\n} else if rtunnel != nil && sessionID != tunnel.SessionID { ... } // line 175\n```\n\nConfirmed on master commit `7ac4db3fa` with standalone reproducer.\nOutput:\n```\nPANIC on line 172 (legitimate close): runtime error: invalid memory address or nil pointer dereference\nPANIC on line 175 (unauthorized close): runtime error: invalid memory address or nil pointer dereference\n```\n\n![1](https://github.com/user-attachments/assets/93b24286-3282-454f-80a4-b01abe4f1d63)\n![2](https://github.com/user-attachments/assets/d4219aea-eb18-474c-b69a-a5e20e97161f)\n![3](https://github.com/user-attachments/assets/5a76b0d7-ae5b-4d91-bfe9-730d3e5c322c)\n\n### Impact\n- rportfwd tunnels **cannot be closed** — functional regression\n- Any authenticated implant can trigger repeated handler goroutine panics\n- rtunnel map entries leak (never cleaned up on close failure)\n- `recoverAndLogPanic()` prevents full server crash but silently drops the close operation\n\n### Fix\nReplace `tunnel.SessionID` with `rtunnel.SessionID` on both lines:\n```diff\n- if rtunnel != nil && session.ID == tunnel.SessionID {\n+ if rtunnel != nil && session.ID == rtunnel.SessionID {\n rtunnel.Close()\n rtunnels.RemoveRTunnel(rtunnel.ID)\n- } else if rtunnel != nil && session.ID != tunnel.SessionID {\n+ } else if rtunnel != nil && session.ID != rtunnel.SessionID {\n```","aliases":["GO-2026-4899"],"modified":"2026-04-02T21:26:25.815310466Z","published":"2026-03-29T15:25:42Z","database_specific":{"severity":"HIGH","nvd_published_at":null,"cwe_ids":["CWE-476"],"github_reviewed":true,"github_reviewed_at":"2026-03-29T15:25:42Z"},"references":[{"type":"WEB","url":"https://github.com/BishopFox/sliver/security/advisories/GHSA-c279-989m-238f"},{"type":"PACKAGE","url":"https://github.com/BishopFox/sliver"}],"affected":[{"package":{"name":"github.com/bishopfox/sliver","ecosystem":"Go","purl":"pkg:golang/github.com/bishopfox/sliver"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"1.7.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-c279-989m-238f/GHSA-c279-989m-238f.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}