Git RCE Vulnerability : CVE-2018-11235

A remote code execution in Git has been discovered. CVE-2018-11235 has been assigned to track this vulnerability. Git 2.17.1 and Git for Windows 2.17.1 (2) address this vulnerability.

submodule “names” from .gitmodule files are appended to $GIT_DIR/modules for on-disk repository paths. When we git clone a repository not all configuration files and hooks are received from the server Eg. post-checkout hook. An attacker can create a .gitmodules file within a project and run arbitrary scripts on target machines that “git clone –recurse-submodules“. The command obtains the submodule names from the config file and appends them to $GIT_DIR/modules. Any file name like “../” can be used for directory traversal. Upon completion of the checkout post-checkout hooks are executed from the submodule instead of the server.

Submodule names are now subject to rules, this will result in Git ignoring submodules with malicious names.

Please apply the latest fixes from Git. Qualys customer can scan their network with following QIDs to detect vulnerable machines.

QID Description
370983 Git Multiple Security Vulnerabilities
176394 Debian Security Update for git (DSA 4212-1)

Qualys Detection
QID:370983 – On Windows machines it checks for vulnerable versions of git-cmd.exe and git.exe by obtaining the installation path from the Windows Registry. On Unix it uses git –version command to obtain the version.

Please continue to follow Qualys Threat Protection for more information on various vulnerabilities.

Git disclosure
Upgrading git for the May 2018 Security Release
Announcing the May 2018 Git Security Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *