Login Sign Up

CVE-2023-45285

7.5 HIGH

📋 TL;DR

This CVE describes a protocol downgrade vulnerability in Go's module fetching system. When using 'go get' with a module ending in '.git', the system may fall back to the insecure 'git://' protocol if secure protocols fail, potentially exposing users to man-in-the-middle attacks. This affects Go developers who fetch modules directly without using the module proxy (GOPROXY=off).

💻 Affected Systems

Products:
  • Go programming language
Versions: All versions before the fix
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects users with GOPROXY=off who fetch modules directly using 'go get' with '.git' suffix modules. Most users with default GOPROXY settings are not affected.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could perform man-in-the-middle attacks to inject malicious code into dependencies, leading to supply chain compromise, remote code execution, or data exfiltration.

🟠

Likely Case

Attackers in privileged network positions could intercept and modify module downloads, potentially introducing backdoors or malware into development environments.

🟢

If Mitigated

With proper controls like using module proxies or setting GOINSECURE appropriately, the risk is limited to specific development scenarios with network-level attacks.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires network-level access to intercept git:// protocol traffic and specific conditions where secure protocols fail for '.git' suffixed modules.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.21.5 and Go 1.20.12

Vendor Advisory: https://go.dev/issue/63845

Restart Required: No

Instructions:

1. Update Go to version 1.21.5 or 1.20.12 or later. 2. Run 'go version' to verify update. 3. Rebuild any affected projects to ensure secure module fetching.

🔧 Temporary Workarounds

Use Module Proxy

all

Configure Go to use the module proxy instead of fetching modules directly

export GOPROXY=https://proxy.golang.org,direct

Avoid Direct Git Fetching

all

Configure Go to avoid insecure protocols for specific domains

export GOINSECURE=example.com

🧯 If You Can't Patch

  • Always use the module proxy (set GOPROXY=https://proxy.golang.org,direct)
  • Avoid using 'go get' with modules that have '.git' suffix in their import paths

🔍 How to Verify

Check if Vulnerable:

Check if using Go version before 1.21.5 or 1.20.12 and if fetching modules directly with GOPROXY=off

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.21.5, 1.20.12 or later using 'go version'

📡 Detection & Monitoring

Log Indicators:

  • git:// protocol usage in Go module fetch logs
  • Failed HTTPS/git+ssh attempts followed by git:// connections

Network Indicators:

  • git:// protocol traffic on port 9418 from Go processes
  • Unencrypted git traffic to unexpected destinations

SIEM Query:

process:go AND (network.protocol:git OR destination.port:9418)

📊 Metadata

CVE ID: CVE-2023-45285
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: December 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON