CVE-2020-16845
Infinite Loop vulnerability in stdlib
What is CVE-2020-16845 About?
This vulnerability affects Go before versions 1.13.15 and 1.14.7, causing an infinite read loop in `ReadUvarint` and `ReadVarint` functions. Attackers can provide crafted invalid inputs, which leads to a Denial of Service condition by blocking the application indefinitely. Exploitation is possible by supplying malformed binary data that triggers the loop.
Affected Software
- stdlib
- <1.13.15
- github.com/ulikunitz/xz
- <0.5.8
Technical Details
The vulnerability resides in the `encoding/binary` package of Go, specifically in the `ReadUvarint` and `ReadVarint` functions, impacting versions before 1.13.15 and 1.14.7. These functions are designed to read variable-length unsigned and signed integers, respectively. When provided with certain malformed binary inputs, instead of returning an error or successfully decoding, these functions enter an infinite read loop. This loop consumes CPU cycles and prevents the function from completing, effectively causing a Denial of Service for any process or goroutine attempting to read the malicious input. The attack vector involves sending or feeding specially crafted invalid binary data to an application using these Go functions for parsing.
What is the Impact of CVE-2020-16845?
Successful exploitation may allow attackers to cause an infinite loop in the processing of binary data, leading to a denial of service and application unresponsiveness.
What is the Exploitability of CVE-2020-16845?
Exploitation of this Infinite Loop vulnerability is of moderate complexity. An attacker must send or provide specific malformed binary inputs to an application that utilizes the `ReadUvarint` or `ReadVarint` functions from the vulnerable Go versions. Prerequisites include the target application parsing binary data from an untrusted source. Authentication requirements depend on whether the input mechanism is accessible without prior authentication. If the application processes binary data from unauthenticated network requests, the attack can be unauthenticated. Privilege requirements are low, as the attack targets the application's internal parsing logic. This is typically a remote exploitation scenario, where an attacker can transmit the malicious binary data over a network connection to a Go application. The risk is higher for network services or applications that parse proprietary binary protocols or file formats from external users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-16845?
Available Upgrade Options
- github.com/ulikunitz/xz
- <0.5.8 → Upgrade to 0.5.8
- stdlib
- <1.13.15 → Upgrade to 1.13.15
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258
- https://github.com/ulikunitz/xz/issues/35
- https://security.netapp.com/advisory/ntap-20200924-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2020-16845
- https://osv.dev/vulnerability/GO-2021-0142
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WV2VWKFTH4EJGZBZALVUJQJOAQB5MDQ4/
- https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://groups.google.com/g/golang-announce/c/NyPIaucMgXo
What are Similar Vulnerabilities to CVE-2020-16845?
Similar Vulnerabilities: CVE-2021-31684 , CVE-2021-35587 , CVE-2022-37454 , CVE-2018-1000007 , CVE-2017-7617
