A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6886-1 advisory.

    It was discovered that the Go net/http module did not properly handle the requests when request\'s headers     exceed MaxHeaderBytes. An attacker could possibly use this issue to cause a panic resulting into a denial     of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45288)

    It was discovered that the Go net/http module did not properly validate the subdomain match or exact match     of the initial domain. An attacker could possibly use this issue to read sensitive information. This issue     only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)

    It was discovered that the Go net/http module did not properly validate the total size of the parsed form     when parsing a multipart form. An attacker could possibly use this issue to cause a panic resulting into a     denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
    (CVE-2023-45290)

    It was discovered that the Go crypto/x509 module did not properly handle a certificate chain which     contains a certificate with an unknown public key algorithm. An attacker could possibly use this issue to     cause a panic resulting into a denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and     Ubuntu 22.04 LTS. (CVE-2024-24783)

    It was discovered that the Go net/mail module did not properly handle comments within display names in the     ParseAddressList function. An attacker could possibly use this issue to cause a panic resulting into a     denial of service. This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
    (CVE-2024-24784)

    It was discovered that the Go html/template module did not validate errors returned from MarshalJSON     methods. An attacker could possibly use this issue to inject arbitrary code into the Go template. This     issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-24785)

    It was discovered that the Go net module did not properly validate the DNS message in response to a query.
    An attacker could possibly use this issue to cause a panic resulting into a denial of service. This issue     only affected Go 1.22. (CVE-2024-24788)

    It was discovered that the Go archive/zip module did not properly handle certain types of invalid zip     files differs from the behavior of most zip implementations. An attacker could possibly use this issue to     cause a panic resulting into a denial of service. (CVE-2024-24789)

    It was discovered that the Go net/netip module did not work as expected for IPv4-mapped IPv6 addresses in     various Is methods. An attacker could possibly use this issue to cause a panic resulting into a denial of     service. (CVE-2024-24790)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the d3847eba-114b-11ef-9c21-901b0e9408dc advisory.

  - A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite     loop. (CVE-2024-24788)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Golang running on the remote host is 1.22.x prior to 1.22.2. It is, therefore, affected by a denial of service (DoS) vulnerability. A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1587-1 advisory.

  - On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the     Apple version of ld, due to usage of the -lto_library flag in a #cgo LDFLAGS directive. (CVE-2024-24787)

  - A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite     loop. (CVE-2024-24788)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1573-1 advisory.

  - On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the     Apple version of ld, due to usage of the -lto_library flag in a #cgo LDFLAGS directive. (CVE-2024-24787)

  - A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite     loop. (CVE-2024-24788)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
202081	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS : Go vulnerabilities (USN-6886-1)	Nessus	Ubuntu Local Security Checks	critical
196913	FreeBSD : go -- net: malformed DNS message can cause infinite loop (d3847eba-114b-11ef-9c21-901b0e9408dc)	Nessus	FreeBSD Local Security Checks	medium
196901	Golang 1.22.x < 1.22.3 DoS	Nessus	Misc.	medium
195475	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.22 (SUSE-SU-2024:1587-1)	Nessus	SuSE Local Security Checks	medium
195294	SUSE SLES12 Security Update : go1.22 (SUSE-SU-2024:1573-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2024-24788

high

Tenable Plugins

critical

medium

medium

medium

medium