#VU41239 Permissions, Privileges, and Access Controls in Go programming language - CVE-2014-7189

Cybersecurity Help s.r.o.

Published: 2014-10-07 | Updated: 2020-08-10

Vulnerability identifier: #VU41239

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-7189

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Go programming language: 1.1 - 1.1.2, 1.2 - 1.2.2, 1.3 - 1.3.1

External links
https://www.openwall.com/lists/oss-security/2014/09/26/28
https://www.securityfocus.com/bid/70156
https://exchange.xforce.ibmcloud.com/vulnerabilities/96693
https://groups.google.com/forum/#!msg/golang-nuts/eeOHNw_shwU/OHALUmroA5kJ

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 21 update for golang

Amazon Linux AMI update for golang

Permissions, Privileges, and Access Controls in GOland Go fro del

Fedora EPEL 6 update for golang

Fedora EPEL 7 update for golang