CVE-2024-45340
📋 TL;DR
This vulnerability in Go's GOAUTH feature allows malicious servers to improperly access credentials from a user's .netrc file that should be restricted to other domains. It affects Go applications using the net/http package with GOAUTH enabled and credentials stored in .netrc files. The issue occurs when credentials aren't properly segmented by domain during authentication requests.
💻 Affected Systems
- Go programming language
- Applications built with Go using net/http package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious servers could steal authentication credentials for other services, potentially leading to unauthorized access to sensitive systems and data breaches across multiple domains.
Likely Case
Attackers controlling malicious servers could harvest credentials for other services from users who connect to them, compromising accounts on those other services.
If Mitigated
With proper network segmentation and credential management, impact is limited to credential exposure only for services using .netrc authentication with the vulnerable Go version.
🎯 Exploit Status
Exploitation requires a malicious server that users connect to, and users must have credentials stored in .netrc files. The server must be able to trigger authentication requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Go security releases for specific version
Vendor Advisory: https://go.dev/issue/71249
Restart Required: No
Instructions:
1. Update Go to the patched version. 2. Recompile affected applications with the updated Go version. 3. Redeploy applications. 4. Verify the fix by testing authentication behavior.
🔧 Temporary Workarounds
Disable GOAUTH feature
allDisable the GOAUTH feature to prevent credential leakage
Set environment variable: export GOAUTH=disabled
Or modify application code to not use GOAUTH
Remove .netrc credentials
allMove credentials out of .netrc files to alternative secure storage
Move credentials from ~/.netrc to secure credential manager
Delete or secure .netrc file: rm ~/.netrc
🧯 If You Can't Patch
- Implement network controls to restrict which servers applications can connect to
- Use alternative authentication methods that don't rely on .netrc files
🔍 How to Verify
Check if Vulnerable:
Check if application uses Go's net/http package with GOAUTH enabled and has credentials in .netrc filesCheck Version:
go versionVerify Fix Applied:
Test that credentials are properly segmented by domain after update by attempting authentication requests📡 Detection & Monitoring
Log Indicators:
- Unexpected authentication requests to multiple domains from single source
- Failed authentication attempts from unexpected domains
Network Indicators:
- Unusual authentication traffic patterns to multiple unrelated domains
- Connections to known malicious servers
SIEM Query:
Search for authentication events where source credentials are used across multiple unrelated domains within short timeframes