At least they are using #golang https://www.ac3.com.au/resources/discovery-of-CVE-2024-2550/
home > posts
Austin Go(phers): it's that time again! Tonight is the November ATX Golang Meetup. Charles Southerland and I will both be speaking. Swing by for pizza, beer, and general nerdiness around Go. Tonight's meetup is at 7:00pm at the Capital Factory on floor 5 (in the "ACL" room):
Tonight's Go meetup in Austin, Texas is located within Capital Factory on the 16th floor in the Antone's room. The meeting starts at 6:30 and we have at least one talk queued up. There will be pizza, drinks, and generally nerdiness around Go!
ATX Golang Meetup is this Wednesday in Austin, Texas - https://www.meetup.com/atxgolang/events/301842145/
Have a neat Go project you want share? A short talk? Swing on by! There will pizza & drinks!
runZero.com (@runZeroInc) is hiring software engineers who love Go! These roles are 100% remote but require residence in the mainland US and a green card or citizenship https://www.runzero.com/about/careers/
Apply through the web site to get started and feel free to DM with any questions.
Wondering what we do? Grab a free trial and a community edition license for your homelab at https://www.runzero.com/try/
Looking for something to do in ~90 minutes over a meal? Drop by for the @runZeroInc Hour webcast today with me, @lorddimwit, and @blainsmith.
We're chatting about remote detection of the xz-utils affected SSH binaries, our upcoming research report, the Palo Alto Networks RCE and surprise #golang zero-day in gorilla/sessions, Binarly's epic lighttpd vulnerability and supply chain research, and much more!
https://runzero.zoom.us/webinar/register/1217102670048/WN_4Po_Qnx4S1Og3Plm9KyiZA#/registration
The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655
This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.
https://github.com/golang/vulndb/issues/2730
If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.
Huh. So the Gorilla project went into archive-only mode in 2022. The gorilla/sessions project opened an issue asking for a new maintainer, this issue was closed as "stale", and a final comment was added indicating that the project is archived: https://github.com/gorilla/sessions/issues/250
The Gorilla project website, however, states that as of July 2023, a new maintainer has been identified, and the gorilla/mux project is seeing recent commits, so hopefully the same maintainers are also managing gorilla/sessions. The gorilla/sessions CI automation is failing with a bad credential and it looks like the sessions project specifically hasn't seen much love lately. #golang #vulnerability
Looks like quite a few projects are using session.FilesystemStore: https://github.com/search?q=sessions.NewFilesystemStore+language%3Ago+&type=code
The watchTowr folks published an in-depth article today covering the Palo Alto Networks unauthenticated RCE at: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Even more impressive is they also disclosed a zero-day directory traversal vulnerability in the #golang gorilla/sessions package (used far and wide). The gorilla vulnerability only applies to code using the FilesystemStore, but it is still likely to impact a huge range of products and services. A pull request to fix this is open at https://github.com/gorilla/sessions/pull/274
Huge thanks to @alizthehax0r and the watchTowr team as well as @moloch of Bishop Fox for co-discovery (and providing a fix for) of the gorilla/sessions bug.
#golang PSA: If you are shipping binaries built with Go 1.21.1 or newer to Linux systems with Transparent Huge Pages (THP) enabled (default in many cases), you either need to tweak the system THP settings via SysFS or upgrade to Go 1.21.6 AND set the workaround GODEBUG=disablethp environment variable.
If you don't, it can lead to what looks like a slow memory leak and eventually an out-of-memory condition. The issue doesn't affect every application (it depends on your memory use patterns), but when it does trigger, it's a pain to debug.
Go docs on THP: https://go.dev/doc/gc-guide#Linux_transparent_huge_pages
Github issue: https://github.com/golang/go/issues/64561
Original Linux kernel issue: https://bugzilla.kernel.org/show_bug.cgi?id=93111
Huge thanks to @TomSellers for tracking this down. The latest @runZeroInc build (4.0.240109.0) includes the fix for self-hosted customers.