CVE-2023-29404 – This vulnerability in Go's cgo build system all... (How to Fix)

Q: What is the severity of CVE-2023-29404?

CVE-2023-29404 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Go's cgo build system allows malicious Go modules to execute arbitrary code during the build process. Attackers can smuggle dangerous linker flags through LDFLAGS sanitization when building untrusted code. Anyone using 'go get' or building untrusted Go modules with cgo is affected.

📋 TL;DR

This vulnerability in Go's cgo build system allows malicious Go modules to execute arbitrary code during the build process. Attackers can smuggle dangerous linker flags through LDFLAGS sanitization when building untrusted code. Anyone using 'go get' or building untrusted Go modules with cgo is affected.

💻 Affected Systems

Products:

Go programming language

Versions: Go 1.20.x before 1.20.5, Go 1.19.x before 1.19.10

Operating Systems: All platforms where Go is used

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects builds using cgo. Pure Go builds without cgo are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution during build, potentially leading to supply chain attacks, credential theft, and persistent backdoors.

🟠

Likely Case

Build system compromise leading to malware injection into compiled binaries or build environment takeover.

🟢

If Mitigated

Limited to build sandbox escape if proper isolation is in place, but still dangerous for CI/CD pipelines.

🌐 Internet-Facing: HIGH - 'go get' directly from public repositories exposes users to malicious modules.

🏢 Internal Only: MEDIUM - Internal build systems could be compromised via malicious internal modules or compromised dependencies.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires convincing users to build malicious modules. The vulnerability is well-documented with proof-of-concept available in the Go issue tracker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.20.5 or Go 1.19.10

Vendor Advisory: https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Restart Required: No

Instructions:

1. Download and install Go 1.20.5 or 1.19.10 from https://go.dev/dl/ 2. Replace existing Go installation 3. Rebuild any affected binaries

🔧 Temporary Workarounds

Disable cgo for untrusted builds

all

Set CGO_ENABLED=0 to disable cgo when building untrusted code

CGO_ENABLED=0 go build
CGO_ENABLED=0 go get

Use Go modules proxy with validation

all

Configure GOPROXY to use a trusted proxy that validates modules

export GOPROXY=https://proxy.golang.org,direct

🧯 If You Can't Patch

Avoid building untrusted Go modules entirely
Isolate build environments using containers or VMs with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Run 'go version' and check if version is between 1.20.0-1.20.4 or 1.19.0-1.19.9

Check Version:

go version

Verify Fix Applied:

Run 'go version' and confirm version is 1.20.5+ or 1.19.10+

📡 Detection & Monitoring

Log Indicators:

Unexpected build failures with cgo
Unusual linker flag usage in build logs
Build processes spawning unexpected child processes

Network Indicators:

Go tools downloading from untrusted sources
Unexpected outbound connections during build process

SIEM Query:

process_name:"go" AND (cmdline:"get" OR cmdline:"build") AND (parent_process contains "cgo" OR cmdline contains "LDFLAGS")

📊 Metadata

CVE ID: CVE-2023-29404

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 8, 2023

Last Updated: January 6, 2025

🔗 References

https://go.dev/cl/501225 Patch
https://go.dev/issue/60305 Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ Mailing List
https://pkg.go.dev/vuln/GO-2023-1841 Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/501225 Patch
https://go.dev/issue/60305 Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ Mailing List,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ Mailing List
https://pkg.go.dev/vuln/GO-2023-1841 Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20241115-0009/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29404, you might also want to check these: