Published on December 21st, 2014 📆 | 5764 Views ⚑
Critical Git Client vulnerability Allows Malicious Remote Code Execution
Developers running the open source Git code-repository software and tools, like GitHub, on Mac OS X and Windows computers are highly being recommended to install a security update that patches a major security vulnerability in Git clients that leverages an attacker to hijack end-user computers.
The critical Git vulnerability affects all versions of the official Git client and all the related software that interacts with Git repositories, including GitHub for Windows and Mac OS X, according to a GitHub advisory published Thursday.
The vulnerability allows an attacker to execute remote code on a client’s computer when the client software accesses Git repositories. The GitHub engineering team gave a detailed explanation on how attackers might exploit the vulnerability:
"An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine," Thursday's advisory warned. "Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive file system."
However, the advisory didn’t state if the vulnerability is being or has been exploited in wild by the hackers, but it confirmed that GitHub for Windows and GitHub for Mac are both affected and should be updated as immediately as possible.
"We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts," Vincent Marti from GitHub wrote.
Developers using GitHub’s client for Windows or Mac can download Git version 2.2.1
, a maintenance release that includes a security fix for a critical vulnerability, and it requires a client update to be fully addressed. The security update also includes new releases with the same security fix for older versions of the Git command-line client.
Since, repositories on Github verifies and blocks malicious contents during its verification process, therefore repositories on github.com are protected. But, it is not necessary that other sites hosting repositories provide the same security measures, so all Git users are recommended to upgrade immediately.
the Git version 2.2.1 release for further information on the security fixes. Updated version of GitHub for Windows are available here
and GitHub for Mac are available here
for immediate download.
Git is a revision control system, and GitHub is a hosting service for Git repositories, both are widely used to collaborate on open-source projects and for proprietary software that different companies build and maintain.