Golang Vulnerability Alert: Remote Code Execution & Infinite Loop DNS Lookup

The Go programming language, widely recognized for its efficiency and simplicity, has recently been the subject of critical security updates.

The Go team has released patches for two significant vulnerabilities that could allow attackers to execute arbitrary code and cause service disruptions through infinite loops.

These vulnerabilities, identified as CVE-2024-24787 and CVE-2024-24788, pose serious risks to systems running affected versions of Go.

Arbitrary Code Execution Vulnerability On Darwin (CVE-2024-24787)

A critical vulnerability has been discovered in the Go programming environment, specifically affecting Darwin operating systems.

Document

Free Webinar : Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:

Key Takeaways:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Start protecting your APIs from hackers

This issue, tracked under CVE-2024-24787, arises during the build process of Go modules that incorporate CGO.

The vulnerability is triggered by the misuse of the `-lto_library` flag in the `#cgo LDFLAGS` directive, which is used with Apple’s version of the linker (ld).

This flaw could allow an attacker to execute arbitrary code by loading a malicious LTO (Link Time Optimization) library during the build process.

The vulnerability has been assigned a CVSS score of 9.8, indicating its severity.

Infinite Loop In DNS Lookup Functions (CVE-2024-24788)

The second vulnerability, CVE-2024-24788, affects Go’s DNS lookup functions. A specially crafted DNS response can cause these functions to enter an infinite loop, potentially leading to a Denial-of-Service (DoS) condition.

This vulnerability primarily threatens web-facing applications and services that rely on Go for DNS queries, with a CVSS score of 7.5 reflecting its significant impact.

Urgent Call To Update

The Go team has responded swiftly to these threats by releasing Go versions 1.22.3 and 1.21.10, which address these vulnerabilities.

Developers and system administrators are urged to update their Go installations immediately to protect their systems from potential exploits.

The updates include necessary fixes that prevent the exploitation of these vulnerabilities.

These recent vulnerabilities highlight the ongoing challenges faced in securing software supply chains and infrastructure.

As the use of Go continues to grow in various applications, maintaining rigorous security practices and regular updates becomes increasingly critical.

Go users are advised to follow security best practices and update their systems promptly to mitigate these risks.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.