Security News > 2021 > January > Google fixes severe Golang Windows RCE vulnerability
This month Google engineers have fixed a severe remote code execution vulnerability in the Go language.
The RCE vulnerability, CVE-2021-3115, mainly impacts Windows users of Go running the go get command, due to the default behavior of Windows PATH lookups.
If you type netstat in a Windows command prompt, Windows would first look around for a netstat.
Should no netstat exist in the current folder, only then would the Windows shell look for the netstat system utility, the location of which exists on the Windows %PATH% variable.
For consistency, Golang binaries imitate Unix rules on Unix systems, and Windows rules on Windows.
The Golang team at Google has fixed the vulnerability and users are advised to upgrade their instances.
News URL
https://www.bleepingcomputer.com/news/security/google-fixes-severe-golang-windows-rce-vulnerability/
Related news
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Patching problems: The “return” of a Windows Themes spoofing vulnerability (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System (source)
- Google patches actively exploited Android vulnerability (CVE-2024-43093) (source)
- Palo Alto Networks warns of potential PAN-OS RCE vulnerability (source)
- Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Outdated Google Workspace Sync blocks Windows 11 24H2 upgrades (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-01-26 | CVE-2021-3115 | Uncontrolled Search Path Element vulnerability in multiple products Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). | 7.5 |