ID CVE-2018-6574
Summary Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
References
Vulnerable Configurations
  • Golang Go 1.8.6
    cpe:2.3:a:golang:go:1.8.6
  • Golang Go 1.9
    cpe:2.3:a:golang:go:1.9
  • Golang Go 1.9.1
    cpe:2.3:a:golang:go:1.9.1
  • Golang Go 1.9.2
    cpe:2.3:a:golang:go:1.9.2
  • Golang Go 1.9.3
    cpe:2.3:a:golang:go:1.9.3
  • Golang Go 1.10 Beta1
    cpe:2.3:a:golang:go:1.10:beta1
  • Golang Go 1.10 Beta2
    cpe:2.3:a:golang:go:1.10:beta2
  • Golang Go 1.10 Release Candidate 1
    cpe:2.3:a:golang:go:1.10:rc1
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
  • Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6
CVSS
Base: 4.6
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201803-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201803-03 (Go: User-assisted execution of arbitrary code) A command injection flaw was discovered in the source code build phase because of the “go get” command, which does not block -fplugin= and -plugin arguments. Impact : A remote attacker could entice a user to process a repository containing maliciously-crafted build instructions using “go get”, resulting in the execution of arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-07
    plugin id 107201
    published 2018-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107201
    title GLSA-201803-03 : Go: User-assisted execution of arbitrary code
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0117.NASL
    description An update of 'go' packages of Photon OS has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 111924
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111924
    title Photon OS 1.0: Go PHSA-2018-1.0-0117 (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-235.NASL
    description This update for go1.8 fixes the following issues : Security issues fixed : - CVE-2018-6574: 'go get' allows for remote command execution during source code build (bsc#1080006). Bug fixes : - bsc#1082409: Review dependencies (requires, recommends and supports) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 107202
    published 2018-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107202
    title openSUSE Security Update : go1.8 (openSUSE-2018-235)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-975.NASL
    description Arbitrary code execution during 'go get' via C compiler options : An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. (CVE-2018-6574) The 'go get' implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for '://' anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted website. (CVE-2018-7187)
    last seen 2019-02-21
    modified 2018-04-20
    plugin id 108600
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108600
    title Amazon Linux AMI : golang (ALAS-2018-975)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1304.NASL
    description An update for go-toolset-7 and go-toolset-7-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: go-toolset-7-golang (1.8.7). (BZ#1545319) Go Toolset is provided as a Technology Preview. Security Fix(es) : * golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed changes and information on usage, see Using Go Toolset linked from the References section. For information on scope of support, see the Technology Preview Features Support Scope document.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 109569
    published 2018-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109569
    title RHEL 7 : go-toolset-7 and go-toolset-7-golang (RHSA-2018:1304)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0878.NASL
    description An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang (1.9.4). (BZ#1479095, BZ#1499827) Security Fix(es) : * golang: arbitrary code execution during 'go get' or 'go get -d' (CVE-2017-15041) * golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042) * golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108990
    published 2018-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108990
    title RHEL 7 : golang (RHSA-2018:0878)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0878.NASL
    description An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang (1.9.4). (BZ#1479095, BZ#1499827) Security Fix(es) : * golang: arbitrary code execution during 'go get' or 'go get -d' (CVE-2017-15041) * golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042) * golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109376
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109376
    title CentOS 7 : golang (CESA-2018:0878)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-218.NASL
    description This update for go fixes the following issues : Security issues fix in version 1.9.4 : - CVE-2018-6574: 'go get' remote command execution during source code build (bsc#1080006). Bug fixes : - bsc#1082409: Review dependencies (requires, recommends and supports). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 107128
    published 2018-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107128
    title openSUSE Security Update : go (openSUSE-2018-218)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0026.NASL
    description An update of {'systemd', 'go'} packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111291
    published 2018-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111291
    title Photon OS 2.0 : systemd / go (PhotonOS-PHSA-2018-2.0-0026) (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-5562B6E2C0.NASL
    description - Security fix for CVE-2018-6574 - Rebase to latest point release Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 106909
    published 2018-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106909
    title Fedora 27 : golang (2018-5562b6e2c0)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180410_GOLANG_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: golang (1.9.4). Security Fix(es) : - golang: arbitrary code execution during 'go get' or 'go get -d' (CVE-2017-15041) - golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042) - golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574) Additional Changes :
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 109448
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109448
    title Scientific Linux Security Update : golang on SL7.x (noarch)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0026_GO.NASL
    description An update of the go package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121926
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121926
    title Photon OS 2.0: Go PHSA-2018-2.0-0026
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-6F08B79A09.NASL
    description - Security fix for CVE-2018-6574 - Rebase to latest point release Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 107031
    published 2018-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107031
    title Fedora 26 : golang (2018-6f08b79a09)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0117_GO.NASL
    description An update of the go package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121815
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121815
    title Photon OS 1.0: Go PHSA-2018-1.0-0117
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1011.NASL
    description Arbitrary code execution during go get or go get -d Go before 1.8.4 and 1.9.x before 1.9.1 allows 'go get' remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, 'go get' can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running 'go get.'(CVE-2017-15041) smtp.PlainAuth susceptible to man-in-the-middle password harvesting An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.(CVE-2017-15042) Arbitrary code execution during 'go get' via C compiler options An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side.(CVE-2018-6574)
    last seen 2019-02-21
    modified 2018-05-11
    plugin id 109690
    published 2018-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109690
    title Amazon Linux 2 : golang (ALAS-2018-1011)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4380.NASL
    description A vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in 'go get', which could result in the execution of arbitrary shell commands.
    last seen 2019-02-21
    modified 2019-02-04
    plugin id 121558
    published 2019-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121558
    title Debian DSA-4380-1 : golang-1.8 - security update
redhat via4
advisories
  • bugzilla
    id 1543561
    title via C compiler options
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment golang is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878007
        • comment golang is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538016
      • AND
        • comment golang-bin is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878005
        • comment golang-bin is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538010
      • AND
        • comment golang-docs is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878015
        • comment golang-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538012
      • AND
        • comment golang-misc is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878011
        • comment golang-misc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538006
      • AND
        • comment golang-src is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878013
        • comment golang-src is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538008
      • AND
        • comment golang-tests is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878009
        • comment golang-tests is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538014
    rhsa
    id RHSA-2018:0878
    released 2018-04-10
    severity Moderate
    title RHSA-2018:0878: golang security, bug fix, and enhancement update (Moderate)
  • rhsa
    id RHSA-2018:1304
rpms
  • golang-0:1.9.4-1.el7
  • golang-bin-0:1.9.4-1.el7
  • golang-docs-0:1.9.4-1.el7
  • golang-misc-0:1.9.4-1.el7
  • golang-src-0:1.9.4-1.el7
  • golang-tests-0:1.9.4-1.el7
refmap via4
confirm
debian DSA-4380
misc https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
Last major update 07-02-2018 - 16:29
Published 07-02-2018 - 16:29
Last modified 02-10-2019 - 20:03
Back to Top