A remote code execution in Git has been discovered. CVE-2018-11235 has been assigned to track this vulnerability. Git 2.17.1 and Git for Windows 2.17.1 (2) address this vulnerability.
Vulnerability
submodule “names” from .gitmodule files are appended to $GIT_DIR/modules for on-disk repository paths. When we git clone a repository not all configuration files and hooks are received from the server Eg. post-checkout hook. An attacker can create a .gitmodules file within a project and run arbitrary scripts on target machines that “git clone –recurse-submodules“. The command obtains the submodule names from the config file and appends them to $GIT_DIR/modules. Any file name like “../” can be used for directory traversal. Upon completion of the checkout post-checkout hooks are executed from the submodule instead of the server.
Fix
Submodule names are now subject to rules, this will result in Git ignoring submodules with malicious names.
Mitigation
Please apply the latest fixes from Git. Qualys customer can scan their network with following QIDs to detect vulnerable machines.
QID | Description |
370983 | Git Multiple Security Vulnerabilities |
176394 | Debian Security Update for git (DSA 4212-1) |
Qualys Detection
QID:370983 – On Windows machines it checks for vulnerable versions of git-cmd.exe and git.exe by obtaining the installation path from the Windows Registry. On Unix it uses git –version command to obtain the version.
Please continue to follow Qualys Threat Protection for more information on various vulnerabilities.
Reference
Git disclosure
Upgrading git for the May 2018 Security Release
Announcing the May 2018 Git Security Vulnerability
CVE-2018-11235