A recently revealed flaw in Git could allow an attacker to execute arbitrary remote code by infecting a Git project with a malicious .gitmodules file.
Git is a popular version control platform for software development that simplifies change tracking and collaboration. Git repositories can be hosted locally, or platforms like GitHub can be used to store code in the cloud.
The exploit, assigned a Common Vulnerabilities and Exposures (CVE) number of CVE-2018-11235, is triggered when users recursively clone repositories that contain a malicious .gitmodules file.
The exploit, according to the NIST National Vulnerability Database, affects all versions of Git “before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1.”
Microsoft said that it has already released updates for Windows versions of Git and encourages all Git users to update to the latest version immediately.
How Git could get you
Microsoft Senior Program Engineer Edward Thomson explained the Git exploit in great detail in a Microsoft DevOps blog post.
The exploit, Thomson explained, essentially functions like a directory traversal attack that uses .gitmodules files as its starting point.
.Gitmodules are top-level files that define submodule properties. In the case of this exploit, a bad .gitmodules file can be configured to trick an infected machine by using “..” in place of an actual directory name.
“When you git clone a repository, there is some important configuration that you don’t get from the server. This includes the contents of the .git/config file, and things like hooks, which are scripts that will be run at certain points within the git workflow,” Thomson said.
SEE: Quick glossary: DevOps (Tech Pro Research)
Thomson added that cloning directories from a remote server would be a serious risk precisely because remotely stored files could be modified to execute arbitrary code in place of a legitimate hook.
“Unfortunately, with this submodule configuration vulnerability, that’s exactly what happens,” Thomson said.
A bad .gitmodules file “will first check out the parent, then read the submodule’s checked-in repository in order to write the submodule to the working directory.” At that point post-checkout hooks are run, and since Git was tricked into cloning remote repositories it executes whatever arbitrary code an attacker desires.
Protecting yourself from a Git attack
The solution is relatively obvious at this point: Don’t allow “..” as a path segment when defining a submodule’s location. As Thomson points out, Git for Windows has already addressed the issue and other Git platforms are likely to follow suit.
There isn’t much action for users or administrators to take to solve this issue outside of updating their Git platforms as soon as a new version is published. Don’t wait on this fix–the alternative could be devastating.
The big takeaways for tech leaders:
- Git projects can be modified by an attacker to execute remote arbitrary code on machines that recursively clone Git repositories.
- Git users should update to the latest version of their respective platform immediately. Anyone who waits will be vulnerable to this attack, which could have serious repercussions.
- How to build a successful career as a DevOps engineer (free PDF) (TechRepublic)
- GitHub says bug exposed some plaintext passwords (ZDNet)
- GitHub: A cheat sheet (TechRepublic)
- GitHub: Our dependency scan has found four million security flaws in public repos (ZDNet)
- GitHub: Here are the biggest open source project trends we’ll see in 2018 (TechRepublic)