A new security vulnerability has been identified with the tracking number CVE-2023-45285, affecting users of the Go programming language who are fetching modules directly without using the module proxy. This vulnerability is related to the "go get" command used to download and install Go modules. When fetching a module with the ".git" suffix, the "go get" command may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if the GOINSECURE environment variable is not set for the mentioned module.

Exploit Details

The use of the "git://" protocol makes fetching modules vulnerable to man-in-the-middle (MITM) attacks, where an attacker can potentially intercept, eavesdrop, or modify the data transmitted between the client and server. This can lead to the compromise of sensitive information, including the source code, credentials, or other private data and resources related to the fetched module.

The vulnerability arises due to the default behavior of the "go get" command during the process of downloading and installing Go modules:

1. For modules with ".git" suffix, it first tries to fetch the module using the secure "https://" protocol.
2. If fetching the module using "https://" fails, it then tries to use the "git+ssh://" protocol.
3. If the previous protocols fail, it falls back to the insecure "git://" protocol.

The secure protocols "https://" and "git+ssh://" protect your module's integrity and confidentiality during transit, while the "git://" protocol does not provide any such security assurance.

The following command demonstrates the affected functionality of the "go get" command

$ go get example.com/myModule.git

When the secure protocols are not available for the "myModule.git" module, the "go get" command would end up using the insecure "git://" protocol for fetching it.

1. Go issue report discussing the vulnerability
2. Official Go documentation detailing the "go get" command

Mitigation and Recommendations

To avoid exposure to this vulnerability, it's recommended that affected users adhere to the following best practices:

1. Whenever possible, use the Go module proxy by setting the GOPROXY environment variable to "https://proxy.golang.org" (or an alternative module proxy). This ensures that the fetching of modules will be done securely through the proxy.

$ export GOPROXY=https://proxy.golang.org

2. For direct fetching of modules without using the proxy, only use modules that are available via the secure "https://" or "git+ssh://" protocols.

3. Keep an eye on the Go issue report discussing the vulnerability for updates and potential fixes to this issue.

4. Always verify the integrity and authenticity of the fetched modules before using them in your projects.

Conclusion

CVE-2023-45285 is a security vulnerability that affects users fetching Go modules directly with the ".git" suffix when the secure protocols are not available. It's essential to be aware of this issue to avoid potential security risks arising from using the insecure "git://" protocol. By following the recommended mitigation steps and best practices, developers can better protect their projects and sensitive data against potential MITM attacks.

Timeline

Published on: 12/06/2023 17:15:07 UTC
Last modified on: 01/20/2024 04:15:08 UTC