CVE-2023-45283 Overview
CVE-2023-45283 is a Path Traversal vulnerability affecting the Go programming language's filepath package on Windows systems. The vulnerability stems from the package's failure to properly recognize paths with a \??\ prefix as special Windows Root Local Device paths. On Windows, a path beginning with \??\ is equivalent to a path beginning with \\?\, allowing attackers to potentially access arbitrary locations on the system.
The filepath.Clean() function could convert a rooted path such as \a\..\??\b into the root local device path \??\b, and filepath.Join(\, ??, b) could similarly convert seemingly innocent path elements into the root local device path \??\b. This behavior could be exploited to bypass path validation and access files outside intended directories.
Critical Impact
Attackers can leverage this path traversal vulnerability to bypass security controls and access arbitrary file system locations on Windows systems running vulnerable Go applications.
Affected Products
- Golang Go (versions prior to 1.20.11 and 1.21.4)
- Microsoft Windows (as the underlying operating system)
- Applications built with vulnerable Go versions using filepath package
Discovery Timeline
- 2023-11-09 - CVE-2023-45283 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-45283
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal) and affects Go applications running on Windows that use the filepath package for path manipulation. The core issue lies in how the filepath package handles Windows Root Local Device paths.
Windows supports multiple path formats, including standard paths (e.g., c:\x) and Root Local Device paths (e.g., \\?\c:\x or \??\c:\x). The \??\ prefix is a less common but equally valid way to specify a Root Local Device path, providing direct access to the Windows Object Manager namespace.
The vulnerability can be exploited remotely when applications accept user-controlled input that is processed by the filepath.Clean() or filepath.Join() functions without proper validation.
Root Cause
The root cause is the filepath package's incomplete recognition of Windows path prefixes. While the package correctly identified \\?\ as a special prefix, it failed to recognize \??\ as an equivalent Root Local Device path indicator. This oversight allowed path traversal sequences to be manipulated in ways that could escape intended directory boundaries.
Specifically, the IsAbs() function incorrectly reported paths beginning with \??\ as non-absolute, and VolumeName() failed to recognize the \??\ prefix as a volume name. These incorrect assessments led to improper path normalization in Clean() and Join() operations.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Providing a crafted path containing the \??\ prefix to a vulnerable Go application
- Using path traversal sequences combined with the \??\ prefix to bypass path sanitization
- Accessing files or directories outside the intended scope
For example, an attacker could provide input like \a\..\??\c:\sensitive\file.txt to an application that uses filepath.Clean() for path validation. The function would incorrectly normalize this to \??\c:\sensitive\file.txt, potentially granting access to sensitive system files.
The vulnerability mechanism involves the filepath.Clean() function improperly handling path normalization when encountering the \??\ prefix combined with parent directory traversal sequences (..). The function would resolve the traversal while preserving the root local device path, effectively bypassing directory restrictions. See the Go.dev Issue Tracker #63713 for detailed technical analysis.
Detection Methods for CVE-2023-45283
Indicators of Compromise
- Presence of \??\ path prefixes in application logs or web server access logs
- Unexpected file access patterns targeting system directories or sensitive files
- Error messages indicating access attempts to paths outside application directories
- Anomalous path strings containing both traversal sequences (..) and \??\ prefixes
Detection Strategies
- Implement log monitoring for path manipulation attempts containing \??\ or \\?\ prefixes
- Deploy application-level input validation to detect and block suspicious path patterns
- Use SentinelOne's behavioral AI to detect unusual file system access patterns
- Configure file integrity monitoring on sensitive directories to alert on unauthorized access
Monitoring Recommendations
- Enable verbose logging for file operations in Go applications
- Monitor Windows Security Event logs for suspicious file access (Event IDs 4663, 4656)
- Deploy network-level inspection to detect path traversal attempts in HTTP requests
- Implement real-time alerting for access attempts to critical system paths
How to Mitigate CVE-2023-45283
Immediate Actions Required
- Upgrade Go to version 1.20.11, 1.21.4, or later immediately
- Audit all Go applications using the filepath package for potential exposure
- Implement additional input validation for user-supplied file paths
- Review application logs for any historical exploitation attempts
Patch Information
The Go team has addressed this vulnerability in Go versions 1.20.11 and 1.21.4. The fix ensures that filepath.Clean() now converts paths like \a\..\??\b to .\??\b instead of \??\b, and filepath.Join(\, ??, b) converts to \.\??\b instead of \??\b. Additionally, IsAbs() now correctly reports paths beginning with \??\ as absolute, and VolumeName() properly recognizes the \??\ prefix as a volume name.
For detailed patch information, see the Go.dev Code Review #540277 and Go.dev Vulnerability Report GO-2023-2185.
Workarounds
- Implement application-level path validation that explicitly rejects paths containing \??\ or \\?\ prefixes
- Use allow-list validation for file paths rather than deny-list approaches
- Restrict file operations to specific, known-safe directories using chroot-like containment
- Deploy web application firewalls (WAF) with rules to block path traversal attempts
# Check Go version and update
go version
# Update to patched version
go install golang.org/dl/go1.21.4@latest
go1.21.4 download
# Verify installed version
go1.21.4 version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
