Arbitrary Code Execution Vulnerability in Apple ld via CGO
CVE-2024-24787
Key Information:
- Vendor
Go Toolchain
- Status
- Vendor
- CVE Published:
- 8 May 2024
Badges
What is CVE-2024-24787?
Two significant vulnerabilities have been identified in the Go programming language, posing serious risks to systems running affected versions. The first issue, CVE-2024-24787, allows for arbitrary code execution when building Go modules with CGO on Darwin operating systems. The second vulnerability, CVE-2024-24788, triggers an infinite loop in DNS lookup functions, potentially leading to a Denial-of-Service condition. Both vulnerabilities have been addressed by the Go team through the release of versions 1.22.3 and 1.21.10, and users are advised to update their systems promptly to protect against potential exploits.
Affected Version(s)
cmd/go darwin 0 < 1.21.10
cmd/go darwin 1.22.0-0 < 1.22.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Linux SecuritySUSE: 2024:1587-1 moderate: go1.22 Security Advisory Updates | LinuxSecurity.com
SUSE: 2024:1587-1 moderate: go1.22 Security Advisory Updates - # Security update for go1.22 Announcement ID: SUSE-SU-2024:1587-1 Rating: moderate References: * bsc
CybersecurityNewsGolang Vulnerability Alert: Remote Code Execution & Infinite Loop DNS Lookup
The Go team has released patches for two significant vulnerabilities that could allow attackers to execute arbitrary code and cause service disruptions through infinite loops.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by CybersecurityNews
Vulnerability published
Vulnerability Reserved