CVE-2020-28367: Arbitrary code execution via the go command with cgo in cmd/go

Q: What is CVE-2020-28367?

CVE-2020-28367 is a code injection vulnerability in the go command with cgo before Go 1.14.12 and Go 1.15.5 that allows arbitrary code execution.

Q: How does CVE-2020-28367 impact Go?

CVE-2020-28367 allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via `go get` or `go build`.

Q: What is the severity of CVE-2020-28367?

CVE-2020-28367 has a severity rating of high (7 out of 10).

Q: Which versions of Go are affected by CVE-2020-28367?

CVE-2020-28367 affects Go versions before Go 1.14.12 and Go 1.15.5.

Q: How can I mitigate the risk of CVE-2020-28367?

To mitigate the risk of CVE-2020-28367, it is recommended to update to Go 1.14.12 or Go 1.15.5.

Published Nov 12, 2020

Updated

An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypass the validation of arguments to the gcc compiler. This flaw allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via go get or go build while building a Go project. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Other sources

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a argument injection flaw in go command when cgo is in use in build time. By using a specially-crafted package, an attacker could exploit this vulnerability to execute arbitrary code on the system.

— IBM

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by a malicious gcc flags specified via a #cgo directive.

References: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ https://github.com/golang/go/issues/42556

— Red Hat

Affected Software

9 affected componentsFixes available

redhat/openshift-serverless-clients<0:0.18.4-2.el8

0:0.18.4-2.el8

redhat/go-toolset<1.14-0:1.14.12-1.el7_9

1.14-0:1.14.12-1.el7_9

redhat/go-toolset<1.14-golang-0:1.14.12-1.el7_9

1.14-golang-0:1.14.12-1.el7_9

redhat/go<1.15.5

1.15.5

redhat/go<1.14.12

1.14.12

IBM Cloud Pak for Security<=1.10.0.0 - 1.10.11.0

IBM QRadar Suite Software<=1.10.12.0 - 1.10.16.0

Golang Go<1.14.12

Golang Go>=1.15<1.15.5

Remediation

Patch Available

https://go.dev/issue/42556

Information

If it's possible to confirm that the go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either `go get` or `go build`. For example: CGO_ENABLED=0 go get github.com/someproject This will not stop the files being downloaded but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files. Of course, this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios.

Event History

Nov 12, 2020

CVE Published

12:00 AM

Nov 18, 2020

CVE Published

via MITRE·12:00 AM

Data Sourced

via MITRE·12:00 AM

DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is CVE-2020-28367?