CVE-2018-6574

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.8.7 Go 1.9.x versions prior to 1.9.4 Go 1.10 pre-releases prior to Go 1.10rc2

Description The issue is related to the "go get" command in the Go programming language, which allows remote command execution during source code build. This is possible due to the lack of blocking of the -fplugin= and -plugin= arguments when using the gcc or clang plugin feature. The exploitation of this issue can enable a remote attacker to execute the "go get" command. When cgo is enabled, the build step invokes the host C compiler, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism, allowing a shared-library plugin to be loaded into the compiler. A Go package repository can contain a malicious plugin file, which can be loaded into the host C compiler during the build, potentially granting unrestricted access to the host system.

Recommendations For Go versions prior to 1.8.7, update to version 1.8.7 or later. For Go 1.9.x versions prior to 1.9.4, update to version 1.9.4 or later. For Go 1.10 pre-releases prior to Go 1.10rc2, update to Go 1.10rc2 or later. As a temporary workaround, consider disabling the cgo feature until a patch is available. Restrict access to the gcc and clang plugins to minimize the risk of exploitation.