CVE-2023-29402 – This CVE-2023-29402 is a critical code injectio... (How to Fix)

Q: What is the severity of CVE-2023-29402?

CVE-2023-29402 has a CVSS score of 9.8 (CRITICAL). This CVE-2023-29402 is a critical code injection vulnerability in Go's cgo build system. It allows attackers to execute arbitrary code during build time when processing untrusted modules with directory names containing newline characters. Users are affected when building Go programs with cgo using GOPATH mode (GO111MODULE=off) with untrusted source code.

📋 TL;DR

This CVE-2023-29402 is a critical code injection vulnerability in Go's cgo build system. It allows attackers to execute arbitrary code during build time when processing untrusted modules with directory names containing newline characters. Users are affected when building Go programs with cgo using GOPATH mode (GO111MODULE=off) with untrusted source code.

💻 Affected Systems

Products:

Go programming language

Versions: Go versions before 1.20.5 and 1.19.10

Operating Systems: All platforms where Go is used

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using GOPATH mode (GO111MODULE=off) with cgo and building untrusted modules containing directories with newline characters. Module mode (GO111MODULE=on) is not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise during build process, potentially leading to supply chain attacks and persistent backdoors in compiled binaries.

🟠

Likely Case

Build-time code injection leading to malicious code execution in development environments or CI/CD pipelines, potentially compromising build artifacts.

🟢

If Mitigated

Limited impact when using module mode (GO111MODULE=on) and only building trusted source code.

🌐 Internet-Facing: MEDIUM - Exploitation requires attacker to control source code being built, typically in development/CI environments rather than production systems.

🏢 Internal Only: HIGH - Development environments, CI/CD pipelines, and build servers using GOPATH mode with untrusted code are at significant risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to provide malicious source code with specially crafted directory names. The vulnerability is well-documented with public proof-of-concept available in the Go issue tracker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.20.5 and Go 1.19.10

Vendor Advisory: https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Restart Required: No

Instructions:

1. Update Go to version 1.20.5 or 1.19.10. 2. Run 'go version' to verify update. 3. Rebuild any affected binaries with the updated Go compiler.

🔧 Temporary Workarounds

Use Go Modules Mode

all

Switch from GOPATH mode to module mode which is not vulnerable to this issue

export GO111MODULE=on

Disable cgo

all

Build without cgo support if not required

export CGO_ENABLED=0

🧯 If You Can't Patch

Only build trusted source code from verified repositories
Use isolated build environments with minimal privileges for building untrusted code

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is below 1.20.5 or 1.19.10 and using GOPATH mode with cgo, the system is vulnerable.

Check Version:

go version

Verify Fix Applied:

Run 'go version' to confirm version is 1.20.5 or 1.19.10 or higher. Test building with cgo using GOPATH mode to ensure no unexpected behavior.

📡 Detection & Monitoring

Log Indicators:

Unexpected build failures
Suspicious directory names in build logs
Unexpected cgo behavior during compilation

Network Indicators:

Unusual network connections from build processes
Downloads from untrusted repositories during builds

SIEM Query:

process_name:"go" AND (command_line:"GO111MODULE=off" OR command_line:"cgo") AND (parent_process:"make" OR parent_process:"build")

📊 Metadata

CVE ID: CVE-2023-29402

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 8, 2023

Last Updated: January 6, 2025

🔗 References

https://go.dev/cl/501226 Patch
https://go.dev/issue/60167 Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ Mailing List
https://pkg.go.dev/vuln/GO-2023-1839 Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/501226 Patch
https://go.dev/issue/60167 Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ Mailing List
https://pkg.go.dev/vuln/GO-2023-1839 Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20241213-0004/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29402, you might also want to check these: