CVE-2022-24675
📋 TL;DR
This vulnerability is a stack overflow in Go's encoding/pem package when processing large PEM data. It allows attackers to cause denial of service or potentially execute arbitrary code by crashing the application. Affected are applications using Go versions before 1.17.9 or 1.18.x before 1.18.1 that parse PEM data from untrusted sources.
💻 Affected Systems
- Go programming language
- Applications built with Go that use encoding/pem package
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Go by Golang
Go by Golang
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if the stack overflow can be leveraged for arbitrary code execution.
Likely Case
Denial of service through application crash when processing malicious PEM data.
If Mitigated
Limited impact with proper input validation and size limits on PEM data processing.
🎯 Exploit Status
Exploitation requires sending specially crafted large PEM data to vulnerable applications. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.17.9 or Go 1.18.1
Vendor Advisory: https://groups.google.com/g/golang-announce/c/oecdBNLOml8
Restart Required: Yes
Instructions:
1. Identify affected Go installations. 2. Update to Go 1.17.9 or 1.18.1 using official distribution channels. 3. Recompile and redeploy affected applications with the updated Go version. 4. Restart services using the patched Go runtime.
🔧 Temporary Workarounds
Limit PEM input size
allImplement input validation to restrict the size of PEM data processed by applications
Implement size checking in application code before calling pem.Decode()
Disable PEM processing from untrusted sources
allRestrict PEM data processing to trusted sources only
Implement source validation for PEM data inputs
🧯 If You Can't Patch
- Implement strict input validation to reject PEM data exceeding reasonable size limits
- Isolate vulnerable applications behind firewalls and restrict network access to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check Go version with 'go version' command. If output shows version earlier than 1.17.9 or 1.18.x earlier than 1.18.1, the system is vulnerable if using encoding/pem package.Check Version:
go versionVerify Fix Applied:
Run 'go version' to confirm version is 1.17.9 or 1.18.1+. Test PEM parsing functionality with large inputs to ensure no crashes.📡 Detection & Monitoring
Log Indicators:
- Application crashes or panics when processing PEM data
- Stack overflow errors in application logs
- Unusual memory consumption patterns
Network Indicators:
- Large PEM data transfers to applications
- Repeated connection attempts with PEM payloads
SIEM Query:
source="application.logs" AND ("panic" OR "stack overflow" OR "out of memory") AND "pem"🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
- https://groups.google.com/g/golang-announce
- https://groups.google.com/g/golang-announce/c/oecdBNLOml8
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TYZC4OAY54TO75FBEFAPV5G7O4D5TM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3BMW5QGX53CMIJIZWKXFKBJX2C5GWTY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RCRSABD6CUDIZULZPZL5BJ3ET3A2NEJP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20220915-0010/
- https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
- https://groups.google.com/g/golang-announce
- https://groups.google.com/g/golang-announce/c/oecdBNLOml8
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TYZC4OAY54TO75FBEFAPV5G7O4D5TM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3BMW5QGX53CMIJIZWKXFKBJX2C5GWTY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RCRSABD6CUDIZULZPZL5BJ3ET3A2NEJP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20220915-0010/
