CVE-2020-28367 – This CVE allows arbitrary code execution during... (How to Fix)

Q: What is the severity of CVE-2020-28367?

CVE-2020-28367 has a CVSS score of 7.5 (HIGH). This CVE allows arbitrary code execution during build time when using Go's cgo feature with malicious gcc flags specified in #cgo directives. Attackers can inject code that runs when compiling Go programs that use cgo. This affects developers building Go applications with cgo enabled before Go 1.14.12 or 1.15.5.

📋 TL;DR

This CVE allows arbitrary code execution during build time when using Go's cgo feature with malicious gcc flags specified in #cgo directives. Attackers can inject code that runs when compiling Go programs that use cgo. This affects developers building Go applications with cgo enabled before Go 1.14.12 or 1.15.5.

💻 Affected Systems

Products:

Go programming language

Versions: Go versions before 1.14.12 and Go 1.15.x before 1.15.5

Operating Systems: All platforms supporting Go

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects builds using cgo feature. Pure Go builds without cgo are not vulnerable.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of build systems leading to supply chain attacks, backdoored binaries, and lateral movement from build infrastructure.

🟠

Likely Case

Malicious actors injecting backdoors into compiled binaries during CI/CD pipelines or developer builds.

🟢

If Mitigated

Limited to controlled build environments with restricted network access and code review processes.

🌐 Internet-Facing: MEDIUM - Build systems exposed to untrusted code (like public CI/CD) are vulnerable.

🏢 Internal Only: LOW - Internal build systems with trusted code sources have minimal risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to modify Go source code with #cgo directives. Public proof-of-concept exists in Go issue tracker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.14.12 or Go 1.15.5

Vendor Advisory: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

Restart Required: No

Instructions:

1. Download latest Go version from official site. 2. Uninstall old Go version. 3. Install patched version. 4. Rebuild any affected binaries.

🔧 Temporary Workarounds

Disable cgo builds

all

Build Go programs without cgo support to avoid vulnerability

CGO_ENABLED=0 go build

Restrict build environment

all

Run builds in isolated containers with minimal privileges

🧯 If You Can't Patch

Audit all Go source code for suspicious #cgo directives
Implement strict code review for any Go code using cgo features

🔍 How to Verify

Check if Vulnerable:

Check Go version: if using Go <1.14.12 or Go 1.15.x <1.15.5 and building with cgo enabled, you are vulnerable.

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.14.12+ or 1.15.5+ and test building with cgo using known malicious patterns.

📡 Detection & Monitoring

Log Indicators:

Unusual gcc flag patterns in build logs
Build failures with unexpected compiler errors

Network Indicators:

Unexpected network connections from build processes

SIEM Query:

process:go AND cmdline:*cgo* AND (version:<1.14.12 OR version:1.15.[0-4])

📊 Metadata

CVE ID: CVE-2020-28367

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: November 18, 2020

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28367, you might also want to check these: