CVE-2020-28366: Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo

Published Nov 12, 2020
·
Updated

An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository that includes malicious pre-built object files that could execute arbitrary code when downloaded and run via go get or go build while building a Go project. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Other sources

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a code injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system.

IBM

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol names. This has been fixed by rejecting invalid symbols which may add a //go:cgoldflag directive to the generated file, and by ensuring that the go tool follows existing LDFLAG restrictions.

References: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ https://github.com/golang/go/issues/42559

Red Hat

Affected Software

13 affected componentsFixes available
redhat/openshift-serverless-clients<0:0.18.4-2.el8
0:0.18.4-2.el8
redhat/go-toolset<1.14-0:1.14.12-1.el7_9
1.14-0:1.14.12-1.el7_9
redhat/go-toolset<1.14-golang-0:1.14.12-1.el7_9
1.14-golang-0:1.14.12-1.el7_9
redhat/go<1.15.5
1.15.5
redhat/go<1.14.12
1.14.12
IBM Cloud Pak for Security<=1.10.0.0 - 1.10.11.0
IBM QRadar Suite Software<=1.10.12.0 - 1.10.16.0
Golang Go<1.14.12
Golang Go>=1.15<1.15.5
Fedoraproject Fedora=32
Fedoraproject Fedora=33
NetApp Cloud Insights Telegraf Agent
NetApp Trident

Remediation

Patch Available

https://go.dev/cl/269658

Patch Available

https://go.dev/issue/42559

Patch Available

https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292

Information

If it's possible to confirm that the Go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either `go get` or `go build`. For example: CGO_ENABLED=0 go get github.com/someproject This will not stop the files being downloaded but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files. Of course, this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios.

Event History

Nov 12, 2020
CVE Published
12:00 AM
Nov 18, 2020
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID for this Go code injection vulnerability?

The vulnerability ID for this Go code injection vulnerability is CVE-2020-28366.

2

What is the severity of CVE-2020-28366?

The severity of CVE-2020-28366 is high with a CVSS score of 7.5.

3

Which versions of Go are affected by this vulnerability?

Versions before Go 1.14.12 and Go 1.15.5 are affected by this vulnerability.

4

How can an attacker exploit this vulnerability?

An attacker can exploit this vulnerability by modifying symbols within a generated go file and specifying malicious code.

5

What is the remedy for this vulnerability?

The remedy for this vulnerability is to update to Go 1.14.12 or Go 1.15.5.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203