The developers of Git announced that a vulnerability in the software can be exploited for a remote code execution using malicious repositories. Patches for most platforms have been released to block possible attacks exploiting CVE-2018-11233 and CVE-2018-11235. Repository hosting service providers should update their versions and block malicious repos, while users running their own clients are reminded to immediately patch. Enterprises with their own internal Git servers are urged to update their software immediately to prevent and block malicious repositories and submodules.
CVE-2018-11235, which was discovered by Etienne Stalmans, is regarded as the more dangerous of the two vulnerabilities found. With this vulnerability, cybercriminals can abuse Git repository folders’ and submodules’ naming and command functions. Git remote repositories may have submodule definitions bundled with repository data, all contained inside a parent repository (“.git” or “git directory”) and saved on disk. When cloned (“git clone”), scripts like hooks can be run without having to check the files from the working directory because the submodules are contained inside the parent repository, even if some of the configurations from the server are missing (“.git/config file”).
Hooks are small executable programs that can be run at certain points inside Git to automate tasks. If exploited by threat actors, a hook can be configured in the submodule repository and recursively cloned (“--recurse-submodules” or “git clone –recursive”), automatically running the malicious codes (“$GIT_DIR/modules” or append “../” into names).
CVE-2018-11233 is considered less dangerous: the severity relates to how it can be used to read random parts of memory in a Windows NTFS system. All versions of Git before 2.13.7 are affected by these vulnerabilities. Patches have been forward-ported to 2.14.4, 2.15.2, and 2.16.4.
Git users are advised to examine submodule folder names as a simple way to address the CVE-2018-11235 vulnerability. Hosting providers such as Windows, GitLab, GitHub, Debian, and Ubuntu have released updates since the discovery. Businesses and IT administrators are strongly advised to update their Git versions to prevent and block malicious repositories and submodules from abusing their systems.[Read: Microsoft’s April Patch Tuesday fixes remote code execution vulnerabilities in fonts and keyboard]
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.