Serious Git flaw could lead to remote code execution attacks

Security researchers have discovered multiple flaws in Git that could allow hackers to run remote code on a victim’s PC. Git is a popular version control system used for source code management in software development.

The vulnerability, named CVE 2018-11235, could allow for arbitrary code execution by the attacker when a developer uses a malicious repository.

According to an advisory posted by the Git community, the vulnerability affects Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1.

Edward Thomson, program manager for Visual Studio Team Services, noted in his advisory that said, “a remote repository may contain a definition for a submodule, and also bundle that submodule repository data, checked in to the parent repository as a folder”.

Generally when an attacker clones a repository, he cannot access important information such as contents of .git/config file and hook scripts that will run at certain points within the git workflow from the server. A post-checkout hook script runs anytime git check the files in the working directory. However, with this submodule configuration vulnerability, the configuration can be cloned from the remote server itself, allowing the attacker to provide a malicious code to execute on the victim's computer.

“Since the submodule's repository is checked in to the parent repository, it's never actually cloned. The submodule repository can therefore actually have a hook already configured,” Thompson said.“So the attacker can bundle this repository configuration with a malicious post-checkout hook, and their code will be executed immediately upon your (recursive) clone of the repository.”

“They can no longer contain .. as a path segment, and they cannot be symbolic links, so they must be within the .git repository folder, and not in the actual repository's working directory,” he said. He also urged all Git clients to examine subfolder names closely as this could be an effective solution to the problem.

Another discovered by security researcher Etienne Stalmans named CVE-2018-11233 could allow a hacker to read random pieces of main memory when running on the NTFS file system. Users have been advised to update Git to v2.17.1 as early as possible. Thomson has also provided some simple steps to determine vulnerable versions and updates to fix affected versions as well.