CVE-2022-24675 – Stack overflow (exhaustion) in Go’s PEM decoder

Go stack overflow vulnerability - CVE-2022-24675

A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in previous versions.

We discovered that the newly fixed bug – assigned CVE-2022-24675 – was introduced in a very early version (it existed in version 1.4 and was possibly introduced before that in a minor release), and has been there for at least 8 years. We also found that CVE-2022-24675 was announced with no details other than the  patch, the commit details and a test case.

CVE-2022-24675 can be triggered by calling the Decode function with a large buffer containing malformed PEM data. Though attackers would need to perform per-target research to see if and how they can exploit the vulnerability, the exploitation itself is trivial, and can potentially cause a Denial of Service on the targeted application.

In this blogpost we provide details on the vulnerability, who is affected and how to remediate.

What is CVE-2022-24675?

CVE-2022-24675 is a Denial of Service (DoS) vulnerability in Go’s PEM encoding builtin module. The vulnerability affects all Go versions up to 1.18.0 or 1.17.8.

This Go vulnerability is due to a recursive call of the Decode function through decodeError function after an error is detected when decoding PEM data which causes stack exhaustion. The input must be large enough (more than 5MB, as stated in the original issue) and must contain errors.

Here we can see the decodeError function being called after an error is detected in encoding/pem.go:

func decodeError(data, rest []byte) (*Block, []byte) {
    p, rest := Decode(rest)
    if p == nil {
        rest = data
    }
    return p, rest
}

What is the impact of CVE-2022-24675?

According to the commit details, the vulnerability is described as Stack Overflow, which can be an ambiguous term. A Stack Buffer Overflow vulnerability could lead to very dangerous impacts such as Remote Code Execution (RCE). However in this case, the vulnerability is “merely” a  stack exhaustion, which can lead at most to Denial of Service. Indeed, the patch fixes a recursive function call to Decode which causes the stack overflow/exhaustion by eliminating the use of recursion.

Who is affected by CVE-2022-24675?

CVE-2022-24675 affects all versions up to 1.18.0 or 1.17.8 of Go, but only affects Go programs that call the Decode function with a large buffer containing malformed PEM data – an example of such malformed data can be seen from the test case of this CVE.

func TestCVE202224675(t *testing.T) {
    // Prior to CVE-2022-24675, this input would cause a stack overflow.
    input := []byte(strings.Repeat("-----BEGIN \n", 10000000))
    result, rest := Decode(input)
    if result != nil || !reflect.DeepEqual(rest, input) {
        t.Errorf("Encode of %#v decoded as %#v", input, rest)
    }
}

Test case for this CVE – the input would cause a stack overflow/exhaustion prior to CVE-2022-24675

Is the JFrog platform Vulnerable to CVE-2022-24675?

After conducting an internal research, we can confirm that the JFrog DevOps platform is not vulnerable to CVE-2022-24675

How can you remediate CVE-2022-24675?

To remediate this Go DoS vulnerability, we recommend upgrading Go to version 1.18.1 or 1.17.9. If it is not possible, we highly recommend applying the patch which fixes the vulnerability in the Decode function of the PEM’s package by removing the DecodeError function where the recursive function was called.

Stay up-to-date with JFrog Security Research

Follow the latest discoveries and technical updates from the JFrog Security Research team in our security research blog posts and on Twitter at @JFrogSecurity.

Find vulnerable versions with JFrog Xray

In addition to exposing new security vulnerabilities and threats, JFrog provides developers and security teams easy access to the latest relevant information for their software with automated security scanning by JFrog Xray SCA tool.