Nine critical Git vulnerabilities found; GitHub recommends update ASAP
Nine security vulnerabilities were recently found in GitHub’s open source version control system, so the platform strongly asks its users to implement a series of “critical Git project updates” to prevent exploit risks, vulnerability testing experts mentioned.
In its security report, GitHub mentions that these vulnerabilities could allow a hacker to overwrite arbitrary paths, run remote code, and even overwrite files in the .git/ directory.
Initially, the Git project was created to allow
the development of the Linux kernel. This program identifies the changes made
to a file, and also allows the creation of repositories and a git/ folder
within another project. According to the vulnerability testing experts, a Git
vulnerability could be exploited to extract commercial IPs or for code sabotage
purposes.
One of the found vulnerabilities is
CVE-2019-1350, exploitable by wrong quoting command-line arguments, allowing
remote code execution during a recursive clone along with SSH URLs, says
Johannes Schindelin of the Git project.
“The problem is unique to Windows, as
vulnerable code is only compiled on this system. The exploit found involves a
sub module and a malicious SSH URL created to exploit the vulnerability,”
Schindelin says.
Joern Schneeweisz, GitLab’s vulnerability testing
expert, reported the vulnerability, in conjunction with the Security Incident
Response Center. Since June 2018, GitHub is owned by Microsoft,
so the platform is under constant surveillance from the tech giant’s security
teams. In the vulnerability report, GitHub adds: “If a user decides to
clone an unreliable repository, there is no way to avoid the risk of exploiting
the discovered vulnerabilities”.
The full list of vulnerabilities found
includes:
- CVE-2019-1348:
the –export-marks option of git fast-import is also exposed through the
in-stream export-marks command function… allowing you to overwrite arbitrary
routes - CVE-2019-1349:
When submodules are cloned recursively, in certain circumstances Git can be
tricked into using the same Git directory twice - CVE-2019-1350:
Incorrect citations of command-line arguments allow remote code execution
during a recursive clone along with SSH URLs - CVE-2019-1351:
While the only drive letters allowed for physical drives on Windows are letters
of the EU English alphabet, this restriction does not apply to virtual drives
assigned through sub-: . Git mistook such paths for
relative paths, allowing you to write out of the work tree during cloning - CVE-2019-1352:
Git is unaware of NTFS alternative data streams, allowing files within the
.git/ directory to be overwritten during cloning - CVE-2019-1353:
When running Git on the Windows for Linux subsystem, when accessing a working
directory on a regular Windows drive, none of the NTFS protections are active - CVE-2019-1354:
File names on Linux/Unix may contain backslashes. On Windows, backslashes are
directory separators. Git doesn’t usually refuse to write crawled files with
such file names - CVE-2019-1387:
Recursive clones are currently affected by a vulnerability caused by overly lax
validation of sub-module names, allowing for very specific attacks through
remote code execution on recursive clones
Like GitHub, vulnerability testing specialists
at the International Institute of Cyber Security (IICS) recommend upgrading as
soon as possible to prevent any risk of exploitation.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
Gloss