The Git developer team and other firms offering Git repository hosting services have issued security updates to address a remote code execution vulnerability, tracked as CVE-2018-11235 in the Git source code versioning software.
“In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur.” reads the description provided by the Mitre organization.
“With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs “git clone –recurse-submodules” because submodule “names” are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.”
The vulnerability was discovered by the researcher Etienne Stalmans as part of GitHub’s bug bounty program.
The CVE-2018-11235 could be exploited by an attacker to set up a malformed Git repository containing a specially-built Git submodule. The attacker needs to trick victims into clone the rogue repository to execute arbitrary code on users’ systems.
The problem resides in the way the Git client handles the specially-built Git submodule.
The release also includes the support for Git server-side component that could be used by Git hosting services to detect code repositories containing malicious submodules and prevent their upload.
“In addition to the above fixes, this release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients by preventing malicious contents from spreading.” reads the release note for the v2.17.
“This is enabled by the same receive.fsckObjects configuration on the server side as other security and sanity related checks (e.g. rejecting tree entry “.GIT” in a wrong case as tracked contents, targetting victims on case insensitive systems) that have already been implemented in the past releases. It is recommended to double check your configuration if you are hosting contents for other people.”
Major Git hosting services like GitHub and Microsoft have already installed the security patches.
Edward Thomson, Program Manager for Visual Studio Team Services, confirmed that Git 2.17.1 and Git for Windows 2.17.1 (2) already include the fix for the flaws and encourages all users to update their Git clients as soon as possible.
Thomson published a technical analysis for the CVE-2018-11235 vulnerability.
(Security Affairs – CVE-2018-11235, Git)