OpenTelemetry-Go PATH Hijacking Vulnerability in Resource Detection on BSD and Solaris

A PATH hijacking vulnerability has been identified in OpenTelemetry-Go, affecting versions 1.15.0 prior to 1.42.0. The issue arises in the resource detection process on BSD and Solaris platforms, where the 'kenv' command is executed without an absolute path. This oversight allows an attacker with local access to the system to place a malicious 'kenv' binary earlier in the PATH, which can then be executed by the application, leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the context of the application using OpenTelemetry-Go.

Reproduction

To reproduce this vulnerability, an attacker must have local access to a system running a Go application that imports the OpenTelemetry-Go SDK. The attacker can place a malicious 'kenv' binary earlier in the PATH. When the application initializes OpenTelemetry resource detection, it will call the 'kenv' command, which resolves to the malicious binary, executing arbitrary code.

Remediation

Users can upgrade to OpenTelemetry-Go version 1.43.0 or later, where this vulnerability has been fixed.