Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data     race in some net/http servers, as demonstrated by the     httputil.ReverseProxy Handler, because it reads a     request body and writes a response at the same     time.(CVE-2020-15586)

  - Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10     pre-releases before Go 1.10rc2 allow 'go get' remote     command execution during source code build, by     leveraging the gcc or clang plugin feature, because
    -fplugin= and -plugin= arguments were not     blocked.(CVE-2018-6574)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has golang packages installed that are affected by multiple vulnerabilities:

  - An arbitrary command execution flaw was found in the way     Go's go get command handled the checkout of source     code repositories. A remote attacker capable of hosting     malicious repositories could potentially use this flaw     to cause arbitrary command execution on the client side.
    (CVE-2017-15041)

  - It was found that smtp.PlainAuth authentication scheme     in Go did not verify the TLS requirement properly. A     remote man-in-the-middle attacker could potentially use     this flaw to sniff SMTP credentials sent by a Go     application. (CVE-2017-15042)

  - An arbitrary command execution flaw was found in the way     Go's go get command handled gcc and clang sensitive     options during the build. A remote attacker capable of     hosting malicious repositories could potentially use     this flaw to cause arbitrary command execution on the     client side. (CVE-2018-6574)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the go package has been released.

A vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery.

In addition this update fixes two vulnerabilities in 'go get', which could result in the execution of arbitrary shell commands.

Arbitrary code execution during go get or go get -d

Go before 1.8.4 and 1.9.x before 1.9.1 allows 'go get' remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, 'go get' can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running 'go get.'(CVE-2017-15041)

smtp.PlainAuth susceptible to man-in-the-middle password harvesting

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.(CVE-2017-15042)

Arbitrary code execution during 'go get' via C compiler options

An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side.(CVE-2018-6574)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:1304 advisory.

  - golang: arbitrary code execution during go get via C compiler options (CVE-2018-6574)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The following packages have been upgraded to a later upstream version:
golang (1.9.4).

Security Fix(es) :

  - golang: arbitrary code execution during 'go get' or 'go     get -d' (CVE-2017-15041)

  - golang: smtp.PlainAuth susceptible to man-in-the-middle     password harvesting (CVE-2017-15042)

  - golang: arbitrary code execution during 'go get' via C     compiler options (CVE-2018-6574)

Additional Changes :

An update for golang is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The golang packages provide the Go programming language compiler.

The following packages have been upgraded to a later upstream version:
golang (1.9.4). (BZ#1479095, BZ#1499827)

Security Fix(es) :

* golang: arbitrary code execution during 'go get' or 'go get -d' (CVE-2017-15041)

* golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting (CVE-2017-15042)

* golang: arbitrary code execution during 'go get' via C compiler options (CVE-2018-6574)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

Arbitrary code execution during 'go get' via C compiler options :

An arbitrary command execution flaw was found in the way Go's 'go get' command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. (CVE-2018-6574)

The 'go get' implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for '://' anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted website. (CVE-2018-7187)

This update for go1.8 fixes the following issues :

Security issues fixed :

  - CVE-2018-6574: 'go get' allows for remote command     execution during source code build (bsc#1080006).

Bug fixes :

  - bsc#1082409: Review dependencies (requires, recommends     and supports)

This update was imported from the SUSE:SLE-12:Update update project.

The remote host is affected by the vulnerability described in GLSA-201803-03 (Go: User-assisted execution of arbitrary code)

    A command injection flaw was discovered in the source code build phase       because of the &ldquo;go get&rdquo; command, which does not block -fplugin= and
      -plugin arguments.
  Impact :

    A remote attacker could entice a user to process a repository containing       maliciously-crafted build instructions using &ldquo;go get&rdquo;, resulting in       the execution of arbitrary code with the privileges of the process.
  Workaround :

    There is no known workaround at this time.

This update for go fixes the following issues :

Security issues fix in version 1.9.4 :

  - CVE-2018-6574: 'go get' remote command execution during     source code build (bsc#1080006).

Bug fixes :

  - bsc#1082409: Review dependencies (requires, recommends     and supports).

This update was imported from the SUSE:SLE-12:Update update project.

- Security fix for CVE-2018-6574

  - Rebase to latest point release

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
140845	EulerOS 2.0 SP3 : golang (EulerOS-SA-2020-2078)	Nessus	Huawei Local Security Checks	high
127229	NewStart CGSL CORE 5.04 / MAIN 5.04 : golang Multiple Vulnerabilities (NS-SA-2019-0047)	Nessus	NewStart CGSL Local Security Checks	critical
121926	Photon OS 2.0: Go PHSA-2018-2.0-0026	Nessus	PhotonOS Local Security Checks	high
121815	Photon OS 1.0: Go PHSA-2018-1.0-0117	Nessus	PhotonOS Local Security Checks	high
121558	Debian DSA-4380-1 : golang-1.8 - security update	Nessus	Debian Local Security Checks	high
109690	Amazon Linux 2 : golang (ALAS-2018-1011)	Nessus	Amazon Linux Local Security Checks	critical
109569	RHEL 7 : go-toolset-7 and go-toolset-7-golang (RHSA-2018:1304)	Nessus	Red Hat Local Security Checks	high
109448	Scientific Linux Security Update : golang on SL7.x (noarch) (20180410)	Nessus	Scientific Linux Local Security Checks	critical
109376	CentOS 7 : golang (CESA-2018:0878)	Nessus	CentOS Local Security Checks	critical
108990	RHEL 7 : golang (RHSA-2018:0878)	Nessus	Red Hat Local Security Checks	critical
108600	Amazon Linux AMI : golang (ALAS-2018-975)	Nessus	Amazon Linux Local Security Checks	high
107202	openSUSE Security Update : go1.8 (openSUSE-2018-235)	Nessus	SuSE Local Security Checks	high
107201	GLSA-201803-03 : Go: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
107128	openSUSE Security Update : go (openSUSE-2018-218)	Nessus	SuSE Local Security Checks	high
107031	Fedora 26 : golang (2018-6f08b79a09)	Nessus	Fedora Local Security Checks	high
106909	Fedora 27 : golang (2018-5562b6e2c0)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2018-6574

high

Tenable Plugins

high

critical

high

high

high

critical

high

critical

critical

critical

high

high

high

high

high

high