ID CVE-2018-6574
Summary Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
References
Vulnerable Configurations
  • Golang Go 1.8.6
    cpe:2.3:a:golang:go:1.8.6
  • Golang Go 1.9
    cpe:2.3:a:golang:go:1.9
  • Golang Go 1.9.1
    cpe:2.3:a:golang:go:1.9.1
  • Golang Go 1.9.2
    cpe:2.3:a:golang:go:1.9.2
  • Golang Go 1.9.3
    cpe:2.3:a:golang:go:1.9.3
  • Golang Go 1.10 Beta1
    cpe:2.3:a:golang:go:1.10:beta1
  • Golang Go 1.10 Beta2
    cpe:2.3:a:golang:go:1.10:beta2
  • Golang Go 1.10 Release Candidate 1
    cpe:2.3:a:golang:go:1.10:rc1
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server Advanced mission critical Update Support (AUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
  • Red Hat Enterprise Linux Server Extended Update Support (EUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
  • Red Hat Enterprise Linux Server Telecommunications Update Service (TUS) 7.6
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6
CVSS
Base: 4.6
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201803-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201803-03 (Go: User-assisted execution of arbitrary code) A command injection flaw was discovered in the source code build phase because of the “go get” command, which does not block -fplugin= and -plugin arguments. Impact : A remote attacker could entice a user to process a repository containing maliciously-crafted build instructions using “go get”, resulting in the execution of arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-07
    plugin id 107201
    published 2018-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107201
    title GLSA-201803-03 : Go: User-assisted execution of arbitrary code
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0117.NASL
    description An update of 'go' packages of Photon OS has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 111924
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111924
    title Photon OS 1.0: Go PHSA-2018-1.0-0117 (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-235.NASL
    description This update for go1.8 fixes the following issues : Security issues fixed : - CVE-2018-6574: 'go get' allows for remote command execution during source code build (bsc#1080006). Bug fixes : - bsc#1082409: Review dependencies (requires, recommends and supports) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 107202
    published 2018-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107202
    title openSUSE Security Update : go1.8 (openSUSE-2018-235)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-975.NASL
    description Arbitrary code execution during 'go get' via C compiler options : An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. (CVE-2018-6574) The 'go get' implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for '://' anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted website. (CVE-2018-7187)
    last seen 2019-02-21
    modified 2018-04-20
    plugin id 108600
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108600
    title Amazon Linux AMI : golang (ALAS-2018-975)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1304.NASL
    description An update for go-toolset-7 and go-toolset-7-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: go-toolset-7-golang (1.8.7). (BZ#1545319) Go Toolset is provided as a Technology Preview. Security Fix(es) : * golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed changes and information on usage, see Using Go Toolset linked from the References section. For information on scope of support, see the Technology Preview Features Support Scope document.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 109569
    published 2018-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109569
    title RHEL 7 : go-toolset-7 and go-toolset-7-golang (RHSA-2018:1304)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0878.NASL
    description An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang (1.9.4). (BZ#1479095, BZ#1499827) Security Fix(es) : * golang: arbitrary code execution during 'go get' or 'go get -d' (CVE-2017-15041) * golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042) * golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108990
    published 2018-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108990
    title RHEL 7 : golang (RHSA-2018:0878)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0878.NASL
    description An update for golang is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The golang packages provide the Go programming language compiler. The following packages have been upgraded to a later upstream version: golang (1.9.4). (BZ#1479095, BZ#1499827) Security Fix(es) : * golang: arbitrary code execution during 'go get' or 'go get -d' (CVE-2017-15041) * golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042) * golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109376
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109376
    title CentOS 7 : golang (CESA-2018:0878)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-218.NASL
    description This update for go fixes the following issues : Security issues fix in version 1.9.4 : - CVE-2018-6574: 'go get' remote command execution during source code build (bsc#1080006). Bug fixes : - bsc#1082409: Review dependencies (requires, recommends and supports). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 107128
    published 2018-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107128
    title openSUSE Security Update : go (openSUSE-2018-218)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0026.NASL
    description An update of {'systemd', 'go'} packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111291
    published 2018-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111291
    title Photon OS 2.0 : systemd / go (PhotonOS-PHSA-2018-2.0-0026) (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-5562B6E2C0.NASL
    description - Security fix for CVE-2018-6574 - Rebase to latest point release Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 106909
    published 2018-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106909
    title Fedora 27 : golang (2018-5562b6e2c0)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180410_GOLANG_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: golang (1.9.4). Security Fix(es) : - golang: arbitrary code execution during 'go get' or 'go get -d' (CVE-2017-15041) - golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042) - golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574) Additional Changes :
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 109448
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109448
    title Scientific Linux Security Update : golang on SL7.x (noarch)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0026_GO.NASL
    description An update of the go package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121926
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121926
    title Photon OS 2.0: Go PHSA-2018-2.0-0026
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-6F08B79A09.NASL
    description - Security fix for CVE-2018-6574 - Rebase to latest point release Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-19
    plugin id 107031
    published 2018-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107031
    title Fedora 26 : golang (2018-6f08b79a09)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0117_GO.NASL
    description An update of the go package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121815
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121815
    title Photon OS 1.0: Go PHSA-2018-1.0-0117
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1011.NASL
    description Arbitrary code execution during go get or go get -d Go before 1.8.4 and 1.9.x before 1.9.1 allows 'go get' remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, 'go get' can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running 'go get.'(CVE-2017-15041) smtp.PlainAuth susceptible to man-in-the-middle password harvesting An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.(CVE-2017-15042) Arbitrary code execution during 'go get' via C compiler options An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side.(CVE-2018-6574)
    last seen 2019-02-21
    modified 2018-05-11
    plugin id 109690
    published 2018-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109690
    title Amazon Linux 2 : golang (ALAS-2018-1011)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4380.NASL
    description A vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in 'go get', which could result in the execution of arbitrary shell commands.
    last seen 2019-02-21
    modified 2019-02-04
    plugin id 121558
    published 2019-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121558
    title Debian DSA-4380-1 : golang-1.8 - security update
redhat via4
advisories
  • bugzilla
    id 1543561
    title via C compiler options
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment golang is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878007
        • comment golang is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538016
      • AND
        • comment golang-bin is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878005
        • comment golang-bin is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538010
      • AND
        • comment golang-docs is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878015
        • comment golang-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538012
      • AND
        • comment golang-misc is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878011
        • comment golang-misc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538006
      • AND
        • comment golang-src is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878013
        • comment golang-src is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538008
      • AND
        • comment golang-tests is earlier than 0:1.9.4-1.el7
          oval oval:com.redhat.rhsa:tst:20180878009
        • comment golang-tests is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20161538014
    rhsa
    id RHSA-2018:0878
    released 2018-04-10
    severity Moderate
    title RHSA-2018:0878: golang security, bug fix, and enhancement update (Moderate)
  • rhsa
    id RHSA-2018:1304
rpms
  • golang-0:1.9.4-1.el7
  • golang-bin-0:1.9.4-1.el7
  • golang-docs-0:1.9.4-1.el7
  • golang-misc-0:1.9.4-1.el7
  • golang-src-0:1.9.4-1.el7
  • golang-tests-0:1.9.4-1.el7
refmap via4
confirm
debian DSA-4380
misc https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
Last major update 07-02-2018 - 16:29
Published 07-02-2018 - 16:29
Last modified 01-03-2019 - 13:55
Back to Top