CVE-2024-24790
📋 TL;DR
This vulnerability in Go's net package causes IPv4-mapped IPv6 addresses to be incorrectly classified by IsPrivate, IsLoopback, and similar methods, returning false when they should return true. This can lead to security bypasses in applications that rely on these methods for access control or validation. Any Go application using these network address validation functions is affected.
💻 Affected Systems
- Go programming language
- Applications built with Go that use net package IP validation
📦 What is this software?
Go by Golang
Go by Golang
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass IP-based access controls, firewall rules, or authentication mechanisms, gaining unauthorized access to sensitive systems or data.
Likely Case
Security bypass in applications using IP validation for rate limiting, geofencing, or internal network restrictions, potentially leading to data exposure or service abuse.
If Mitigated
Limited impact if applications have additional security layers beyond IP validation, or if affected functions aren't used for critical security decisions.
🎯 Exploit Status
Exploitation requires sending specially crafted IPv4-mapped IPv6 addresses to applications using affected validation methods.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.22.5, Go 1.21.12
Vendor Advisory: https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
Restart Required: Yes
Instructions:
1. Update Go installation to version 1.22.5 or 1.21.12. 2. Recompile all Go applications with the updated version. 3. Redeploy patched applications. 4. Restart services using Go applications.
🔧 Temporary Workarounds
Manual IP validation
allReplace net.IP.Is* method calls with custom validation that properly handles IPv4-mapped IPv6 addresses
Network filtering
allImplement network-level filtering to block or normalize IPv4-mapped IPv6 addresses before they reach vulnerable applications
🧯 If You Can't Patch
- Implement application-level IP validation that doesn't rely solely on net package Is* methods
- Deploy WAF or reverse proxy rules to filter or normalize IPv4-mapped IPv6 addresses
🔍 How to Verify
Check if Vulnerable:
Check if application uses net.IP.IsPrivate, net.IP.IsLoopback, or similar methods and test with IPv4-mapped IPv6 addresses like ::ffff:127.0.0.1Check Version:
go versionVerify Fix Applied:
After updating Go, test that IPv4-mapped IPv6 addresses return correct values from Is* methods (e.g., ::ffff:127.0.0.1 should be recognized as loopback)📡 Detection & Monitoring
Log Indicators:
- Unexpected successful connections from IPv4-mapped IPv6 addresses that should be blocked
- Access logs showing IPv4-mapped IPv6 addresses bypassing restrictions
Network Indicators:
- Traffic using IPv4-mapped IPv6 addresses to endpoints with IP-based restrictions
- Unusual patterns of IPv6 traffic to typically IPv4-only services
SIEM Query:
source_ip STARTSWITH "::ffff:" AND (event="access_granted" OR event="authentication_success") WHERE previously_blocked🔗 References
- http://www.openwall.com/lists/oss-security/2024/06/04/1
- https://go.dev/cl/590316
- https://go.dev/issue/67680
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
- https://pkg.go.dev/vuln/GO-2024-2887
- http://www.openwall.com/lists/oss-security/2024/06/04/1
- https://go.dev/cl/590316
- https://go.dev/issue/67680
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
- https://pkg.go.dev/vuln/GO-2024-2887
- https://security.netapp.com/advisory/ntap-20240905-0002/
