Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛Cloudflared is vulnerable to CVE-2024-24790 #1311

Open
matthias2 opened this issue Aug 21, 2024 · 4 comments
Open

🐛Cloudflared is vulnerable to CVE-2024-24790 #1311

matthias2 opened this issue Aug 21, 2024 · 4 comments
Labels
Priority: Normal Minor issue impacting one or more users Type: Bug Something isn't working

Comments

@matthias2
Copy link

Describe the bug
Cloudflared is vulnerable to the stdlib that is in the Golang 1.22.2 version in module net/netip. It is 9.8/10 critical as shown in the vulnerability CVE-2024-24790.

To Reproduce
Steps to reproduce the behavior:

$ wget -q https://github.com/cloudflare/cloudflared/releases/download/2024.8.2/cloudflared-fips-linux-amd64

$ govulncheck -mode binary cloudflared-fips-linux-amd64
=== Symbol Results ===

Vulnerability #1: GO-2024-2963
    Denial of service due to improper 100-continue handling in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2963
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Vulnerable symbols found:
      #1: http.Client.CloseIdleConnections
      #2: http.Client.Do
      #3: http.Client.Get
      #4: http.Client.Head
      #5: http.Client.Post
      Use '-show traces' to see the other 4 found symbols

Vulnerability #2: GO-2024-2887
    Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in
    net/netip
  More info: https://pkg.go.dev/vuln/GO-2024-2887
  Standard library
    Found in: net/[email protected]
    Fixed in: net/[email protected]
    Vulnerable symbols found:
      #1: netip.Addr.IsGlobalUnicast
      #2: netip.Addr.IsInterfaceLocalMulticast
      #3: netip.Addr.IsLinkLocalMulticast
      #4: netip.Addr.IsLoopback
      #5: netip.Addr.IsMulticast
      Use '-show traces' to see the other 1 found symbols

Vulnerability #3: GO-2024-2824
    Malformed DNS message can cause infinite loop in net
  More info: https://pkg.go.dev/vuln/GO-2024-2824
  Standard library
    Found in: [email protected]
    Fixed in: [email protected]
    Vulnerable symbols found:
      #1: net.Dial
      #2: net.DialTimeout
      #3: net.Dialer.Dial
      #4: net.Dialer.DialContext
      #5: net.Listen
      Use '-show traces' to see the other 19 found symbols

Vulnerability #4: GO-2024-2785
    CoreDNS may return invalid cache entries in github.com/coredns/coredns
  More info: https://pkg.go.dev/vuln/GO-2024-2785
  Module: github.com/coredns/coredns
    Found in: github.com/coredns/[email protected]
    Fixed in: github.com/coredns/[email protected]
    Vulnerable symbols found:
      #1: cache.Cache.ServeDNS
      #2: cache.ResponseWriter.WriteMsg
      #3: cache.verifyStaleResponseWriter.WriteMsg

Your code is affected by 4 vulnerabilities from 1 module and the Go standard library.
This scan also found 0 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
Use '-show verbose' for more details.

Expected behavior
No Vulns show up.

Environment and versions

  • OS: Linux
  • Architecture: amd64
  • Version: 2024.08.2

Additional context
Upgrade Golang version to at least 1.22.4

@matthias2 matthias2 added Priority: Normal Minor issue impacting one or more users Type: Bug Something isn't working labels Aug 21, 2024
@Ahmed-Alhameedawi
Copy link

Is there any eta on this? Do you mind explaining why a critical CVE is marked as a normal priority?

@MilitaoLucas
Copy link

MilitaoLucas commented Sep 15, 2024

Is it applicable in this case? Is a vulnerable function of stdlib being used?

"but your code doesn't appear to call these vulnerabilities."

Here is your answer. This is a non-serious issue and should be fixed with normal priority.

@itaysk
Copy link

itaysk commented Sep 15, 2024

Hi There, I'm Itay from Aqua Security, creators of popular OSS vulnerability scanner Trivy. This issue was flagged for me and I wanted to chime in to add that Trivy now allows software maintainers (you) to publish vulnerability analysis about your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here:
https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents
https://github.com/aquasecurity/vexhub
This might be a good opportunity to add a VEX statement to suppress this irrelevant vulnerability, so that your users who scan your artifact with Trivy, or other VEX-enabled scanners, will have peace of mind that your are aware of it and concluded it not relevant. Feel free to reach me or the Trivy team if you have any issues/feedback.

@mikocot
Copy link

mikocot commented Oct 21, 2024

Is it applicable in this case? Is a vulnerable function of stdlib being used?

"but your code doesn't appear to call these vulnerabilities."

Here is your answer. This is a non-serious issue and should be fixed with normal priority.

The vulnerability is fixed in 1.22.4 so this should be a relatively minor change for you. You might not consider this vulnerability applicable to your code, but effectively it tags the whole image as insecure and it does not pass scans by standard cybersec tools.

Ultimately that greatly reduces trust to cloudflare products or may render it completely unusable in more rigid corporate environments. Especially since Cloudflare products are ultimately meant to improve security and are used in the most sensitive and exposed applications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Priority: Normal Minor issue impacting one or more users Type: Bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants