CVE-2012-2666 – This vulnerability in Go programming language a... (How to Fix)

Q: What is the severity of CVE-2012-2666?

CVE-2012-2666 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Go programming language allows local privilege escalation through predictable temporary file creation. The dotest() function in debug/gosym/pclntab_test.go creates temporary files with predictable names that can be hijacked by other users on shared systems. This affects multi-user systems where Go 1.0.1 or earlier is installed and users can execute tests.

📋 TL;DR

This vulnerability in Go programming language allows local privilege escalation through predictable temporary file creation. The dotest() function in debug/gosym/pclntab_test.go creates temporary files with predictable names that can be hijacked by other users on shared systems. This affects multi-user systems where Go 1.0.1 or earlier is installed and users can execute tests.

💻 Affected Systems

Products:

Go programming language (golang)

Versions: Go versions before 1.0.2

Operating Systems: All operating systems where Go is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable on shared/multi-user systems where multiple users can create files in the same temporary directory.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges by hijacking temporary file creation and executing arbitrary code as the user running the test.

🟠

Likely Case

Local user privilege escalation allowing execution of arbitrary shell commands with the privileges of the user running Go tests.

🟢

If Mitigated

No impact if systems are single-user or proper file permissions prevent symlink attacks.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: MEDIUM - Risk exists on shared development servers, CI/CD systems, or multi-user systems where Go tests are run.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to predict/create symlinks in the temporary directory. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.0.2 and later

Vendor Advisory: https://github.com/golang/go/commit/8ac275bb01588a8c0e6c0fe2de7fd11f08feccdd

Restart Required: No

Instructions:

1. Upgrade Go to version 1.0.2 or later. 2. Download from https://golang.org/dl/. 3. Replace existing Go installation. 4. Verify installation with 'go version'.

🔧 Temporary Workarounds

Secure temporary directory permissions

linux

Set secure permissions on temporary directories to prevent symlink attacks

chmod 1777 /tmp
chmod 1777 /var/tmp

Disable test execution

all

Prevent execution of Go tests on shared systems

chmod -x /usr/local/go/src/pkg/debug/gosym/pclntab_test.go

🧯 If You Can't Patch

Implement strict file permissions on temporary directories to prevent symlink attacks
Isolate user environments using containers or virtualization to prevent cross-user file access

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If output shows version 1.0.1 or earlier, system is vulnerable.

Check Version:

go version

Verify Fix Applied:

Run 'go version' and confirm output shows 1.0.2 or later. Test that the pclntab_test.go file no longer creates predictable temporary files.

📡 Detection & Monitoring

Log Indicators:

Failed symlink creation attempts in /tmp or test directories
Unexpected shell script execution from temporary files

Network Indicators:

No network indicators - this is a local vulnerability

SIEM Query:

Process creation from /tmp/go-test-* files or symlink creation attempts in temporary directories

📊 Metadata

CVE ID: CVE-2012-2666

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-377

Published: July 9, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.suse.com/show_bug.cgi?id=765455 Issue Tracking,Patch,Third Party Advisory
https://codereview.appspot.com/5992078 Exploit,Third Party Advisory
https://github.com/golang/go/commit/8ac275bb01588a8c0e6c0fe2de7fd11f08feccdd Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210902-0009/ Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2012-2666 Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=765455 Issue Tracking,Patch,Third Party Advisory
https://codereview.appspot.com/5992078 Exploit,Third Party Advisory
https://github.com/golang/go/commit/8ac275bb01588a8c0e6c0fe2de7fd11f08feccdd Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210902-0009/ Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2012-2666 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-2666, you might also want to check these: