CVE-2020-16845 – This vulnerability in Go's encoding/binary pack... (How to Fix)

Q: What is the severity of CVE-2020-16845?

CVE-2020-16845 has a CVSS score of 7.5 (HIGH). This vulnerability in Go's encoding/binary package allows attackers to cause infinite read loops via specially crafted invalid inputs to ReadUvarint and ReadVarint functions. This can lead to denial of service conditions by consuming excessive CPU resources. Applications using affected Go versions for binary data parsing are vulnerable.

📋 TL;DR

This vulnerability in Go's encoding/binary package allows attackers to cause infinite read loops via specially crafted invalid inputs to ReadUvarint and ReadVarint functions. This can lead to denial of service conditions by consuming excessive CPU resources. Applications using affected Go versions for binary data parsing are vulnerable.

💻 Affected Systems

Products:

Go programming language
Applications built with Go

Versions: Go versions before 1.13.15 and 1.14.x before 1.14.7

Operating Systems: All platforms running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using encoding/binary.ReadUvarint or ReadVarint functions is vulnerable when processing untrusted input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through CPU exhaustion, potentially causing application crashes or unresponsiveness that affects all users.

🟠

Likely Case

Targeted DoS attacks against specific endpoints that process binary data, causing service degradation for affected users.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place, though some performance degradation may occur.

🌐 Internet-Facing: MEDIUM - Exploitable via network inputs but requires specific binary data parsing endpoints.

🏢 Internal Only: LOW - Requires access to internal systems or services that process binary data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted binary data to applications using vulnerable functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.13.15 or 1.14.7 and later

Vendor Advisory: https://groups.google.com/forum/#!topic/golang-announce/NyPIaucMgXo

Restart Required: Yes

Instructions:

1. Update Go installation to version 1.13.15 or 1.14.7+ 2. Recompile all Go applications with updated version 3. Redeploy updated applications 4. Restart services using Go applications

🔧 Temporary Workarounds

Input validation wrapper

all

Implement custom input validation before calling ReadUvarint/ReadVarint functions

// Go code: Validate input size and structure before parsing

Resource limiting

all

Implement CPU/time limits for binary parsing operations

// Use context.WithTimeout or goroutine with timer

🧯 If You Can't Patch

Implement strict input validation for all binary data parsing
Deploy rate limiting and monitoring for binary parsing endpoints

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version' command and verify if below 1.13.15 or 1.14.7

Check Version:

go version

Verify Fix Applied:

Confirm Go version is 1.13.15+ or 1.14.7+ and applications have been recompiled

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Application timeouts during binary parsing
Unusually large binary data inputs

Network Indicators:

Repeated binary data patterns to parsing endpoints
Abnormal request sizes to binary processing APIs

SIEM Query:

source="application.logs" AND ("CPU 100%" OR "timeout" OR "binary.ReadUvarint" OR "binary.ReadVarint")

📊 Metadata

CVE ID: CVE-2020-16845

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: August 6, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html Mailing List,Third Party Advisory
https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo
https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q
https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/
https://security.netapp.com/advisory/ntap-20200924-0002/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4848 Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00028.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html Mailing List,Third Party Advisory
https://groups.google.com/forum/#%21topic/golang-announce/NyPIaucMgXo
https://groups.google.com/forum/#%21topic/golang-announce/_ulYYcIWg3Q
https://lists.debian.org/debian-lts-announce/2020/11/msg00037.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RCFJTMKHY5ICGEM5BUFUEDDGSPJ25XU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWRBAH4UZJO3RROQ72SYCUPFCJFA22FO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TACQFZDPA7AUR6TRZBCX2RGRFSDYLI7O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/
https://security.netapp.com/advisory/ntap-20200924-0002/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4848 Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-16845, you might also want to check these: