Improper Certificate Validation in Go programming language

#VU65267 Improper Certificate Validation in Go programming language

Published: 2022-07-13

Vulnerability identifier: #VU65267

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-27536

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to certificate.Verify in crypto/x509 in Go can be caused to panic on macOS when presented with certain malformed certificates. A remote unauthenticated attacker can use a TLS server to cause a TLS client to panic.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.18

External links
http://groups.google.com/g/golang-announce
http://groups.google.com/g/golang-announce/c/oecdBNLOml8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Security Services

Splunk Enterprise update for third-party packages

SUSE update for go1.18-openssl

Multiple vulnerabilities in Siemens Brownfield Connectivity Gateway

Multiple vulnerabilities in Oracle Solaris

Gentoo update for Go

Multiple vulnerabilities in IBM Event Streams

SUSE update for go1.18