Security News > 2021 > January > Google fixes severe Golang Windows RCE vulnerability
This month Google engineers have fixed a severe remote code execution vulnerability in the Go language.
The RCE vulnerability, CVE-2021-3115, mainly impacts Windows users of Go running the go get command, due to the default behavior of Windows PATH lookups.
If you type netstat in a Windows command prompt, Windows would first look around for a netstat.
Should no netstat exist in the current folder, only then would the Windows shell look for the netstat system utility, the location of which exists on the Windows %PATH% variable.
For consistency, Golang binaries imitate Unix rules on Unix systems, and Windows rules on Windows.
The Golang team at Google has fixed the vulnerability and users are advised to upgrade their instances.
News URL
https://www.bleepingcomputer.com/news/security/google-fixes-severe-golang-windows-rce-vulnerability/
Related news
- Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- Ivanti fixes RCE vulnerability reported by NATO cybersecurity researchers (CVE-2023-41724) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Week in review: Ivanti fixes RCE vulnerability, Nissan breach affects 100,000 individuals (source)
- Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Google now pays up to $450,000 for RCE bugs in some Android apps (source)
- Bug hunters can get up to $450,000 for an RCE in Google’s Android apps (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-01-26 | CVE-2021-3115 | Uncontrolled Search Path Element vulnerability in multiple products Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). | 7.5 |