The Git developer team and other firms offering Git repository hosting services have issued security updates to address a remote code execution vulnerability, tracked as CVE-2018-11235 in the Git source code versioning software.
“In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur.” reads the description provided by the Mitre organization.
“With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs “git clone –recurse-submodules” because submodule “names” are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.”
The vulnerability was discovered by the researcher Etienne Stalmans as part of GitHub’s bug bounty program.
The CVE-2018-11235 could be exploited by an attacker to set up a malformed Git repository containing a specially-built Git submodule. The attacker needs to trick victims into clone the rogue repository to execute arbitrary code on users’ systems.
The problem resides in the way the Git client handles the specially-built Git submodule.
The release also includes the support for Git server-side component that could be used by Git hosting services to detect code repositories containing malicious submodules and prevent their upload.
“In addition to the above fixes, this release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients by preventing malicious contents from spreading.” reads the release note for the v2.17.
“This is enabled by the same receive.fsckObjects configuration on the server side as other security and sanity related checks (e.g. rejecting tree entry “.GIT” in a wrong case as tracked contents, targetting victims on case insensitive systems) that have already been implemented in the past releases. It is recommended to double check your configuration if you are hosting contents for other people.”
Major Git hosting services like GitHub and Microsoft have already installed the security patches.
Edward Thomson, Program Manager for Visual Studio Team Services, confirmed that Git 2.17.1 and Git for Windows 2.17.1 (2) already include the fix for the flaws and encourages all users to update their Git clients as soon as possible.
Thomson published a technical analysis for the CVE-2018-11235 vulnerability.
(Security Affairs – CVE-2018-11235, Git)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.