In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Go | Golang | * | 1.13.13 (excluding) |
| Go | Golang | 1.14.0 (including) | 1.14.5 (excluding) |
| Golang | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | trusty | * |
| Golang-1.12 | Ubuntu | eoan | * |
| Golang-1.13 | Ubuntu | eoan | * |
| Golang-1.14 | Ubuntu | devel | * |
| Golang-1.6 | Ubuntu | trusty | * |
Potential Mitigations
Related Attack Patterns
References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html
- https://groups.google.com/forum/#%21forum/golang-announce
- https://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2w
- https://security.netapp.com/advisory/ntap-20200731-0005/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html
- https://groups.google.com/forum/#%21forum/golang-announce
- https://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2w
- https://security.netapp.com/advisory/ntap-20200731-0005/
- https://www.oracle.com/security-alerts/cpuApr2021.html