CVE-2021-3115 – This vulnerability in Go on Windows allows comm... (How to Fix)

Q: How do I fix CVE-2021-3115?

1. Download and install Go 1.14.14 or later for Go 1.14.x series. 2. Download and install Go 1.15.7 or later for Go 1.15.x series. 3. Verify installation with 'go version'.

Q: What is the severity of CVE-2021-3115?

CVE-2021-3115 has a CVSS score of 7.5 (HIGH). This vulnerability in Go on Windows allows command injection and remote code execution when using 'go get' to fetch modules that use cgo. Attackers can execute arbitrary code by tricking users into downloading malicious modules. Affects developers and systems using vulnerable Go versions on Windows.

📋 TL;DR

This vulnerability in Go on Windows allows command injection and remote code execution when using 'go get' to fetch modules that use cgo. Attackers can execute arbitrary code by tricking users into downloading malicious modules. Affects developers and systems using vulnerable Go versions on Windows.

💻 Affected Systems

Products:

Go programming language

Versions: Go <1.14.14, Go 1.15.x <1.15.7

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems. Requires using 'go get' with modules that use cgo functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Attackers execute arbitrary commands in the context of the user running 'go get', potentially gaining access to sensitive files and credentials.

🟢

If Mitigated

Limited impact if proper network controls and user privilege restrictions are in place, though command execution may still occur.

🌐 Internet-Facing: MEDIUM - Requires user interaction (running 'go get') but can be triggered via automated build systems or developer workflows.

🏢 Internal Only: MEDIUM - Internal developers using vulnerable Go versions remain at risk when fetching external modules.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires convincing a user to run 'go get' on a malicious module. The vulnerability is well-documented and trivial to exploit once the target runs the command.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.14.14 or Go 1.15.7

Vendor Advisory: https://groups.google.com/g/golang-announce/c/mperVMGa98w

Restart Required: No

Instructions:

1. Download and install Go 1.14.14 or later for Go 1.14.x series. 2. Download and install Go 1.15.7 or later for Go 1.15.x series. 3. Verify installation with 'go version'.

🔧 Temporary Workarounds

Disable cgo usage

windows

Set CGO_ENABLED=0 environment variable to prevent cgo from being used during module fetching

set CGO_ENABLED=0

Use vendor directory

all

Vendor dependencies locally to avoid fetching modules during builds

go mod vendor

🧯 If You Can't Patch

Restrict network access to prevent 'go get' from fetching external modules
Run Go commands with minimal user privileges and in isolated environments

🔍 How to Verify

Check if Vulnerable:

Run 'go version' and check if version is <1.14.14 or 1.15.x <1.15.7 on Windows

Check Version:

go version

Verify Fix Applied:

Run 'go version' and confirm version is >=1.14.14 or >=1.15.7

📡 Detection & Monitoring

Log Indicators:

Unexpected 'go get' commands fetching unfamiliar modules
Process execution of gcc or other compilers from Go operations

Network Indicators:

Outbound connections to unfamiliar repositories during Go module fetching

SIEM Query:

Process where (command_line contains 'go get' AND parent_process contains 'cmd.exe') OR (process_name contains 'gcc.exe' AND parent_process contains 'go.exe')

📊 Metadata

CVE ID: CVE-2021-3115

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.golang.org/path-security Vendor Advisory
https://groups.google.com/g/golang-announce/c/mperVMGa98w Release Notes,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
https://security.gentoo.org/glsa/202208-02 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210219-0001/ Third Party Advisory
https://blog.golang.org/path-security Vendor Advisory
https://groups.google.com/g/golang-announce/c/mperVMGa98w Release Notes,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
https://security.gentoo.org/glsa/202208-02 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210219-0001/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3115, you might also want to check these: