Vulnerabilities were discovered in Git version 2.39 and older that could allow attackers to execute remote code. Users should upgrade to Git version 2.39.1 immediately.
PROBLEM: Three separate security vulnerabilities were discovered that affect Git version 2.39. The first two vulnerabilities affect Git’s commit formatting mechanism and .gitattributes parser, respectively. Both may result in arbitrary code execution, so users should upgrade immediately. The Windows-specific issue involves a $PATH lookup, including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI.
AFFECTED VERSIONS: Vulnerabilities affect Git versions 2.39 and older.
ACTION ITEMS: Upgrade to Git 2.39.1 immediately. If you cannot immediately upgrade, reduce risk by following these steps:
-
Avoid invoking the --format mechanism directly with the known operators and avoid running the git archive in untrusted repositories.
-
If you expose git archive via git daemon, consider disabling it if working with untrusted repositories by running git config --global daemon.uploadArch false.
-
Avoid using Git GUI on Windows when cloning untrusted repositories.
THREATS: Vulnerabilities CVE-2022-41903, CVE-2022-23521 can result in arbitrary heap writes, which may result in remote code execution. The Windows-specific vulnerability CVE-2022-4152 may result in running untrusted code.
TECHNICAL DETAILS:
-
CVE-2022-41903: When processing one of the padding operators (for example, %<(, %>(, etc.) an integer overflow can occur when a large offset is given). This vulnerability can be triggered directly via git log --format. It may also be triggered indirectly via Git’s export-subst mechanism. This overflow can result in arbitrary heap reads and writes, which may result in remote code execution.
-
CVE-2022-23521: The attributes defined by .gitattributes file(s) within your repository are read by a parser that has multiple integer overflows. These overflows occur when parsing a large number of patterns, a large number of attributes, or attributes with long names. These overflows may be triggered via a malicious .gitattributes file. Successfully exploiting this vulnerability depends on the location of the .gitattributes file in question. This overflow can result in arbitrary heap reads and writes, which may result in remote code execution.
-
CVE-2022-4152: After cloning a repository, Git GUI automatically applies some post-processing to the resulting checkout, including running a spell-checker, if one is available. A Windows-specific vulnerability causes Git GUI to look for the spell-check in the worktree that was just checked out, which may result in running untrusted code.
DETECTION: These vulnerabilities affect all versions of Git 2.39 and older.
HOW WE PROTECT U-M:As always, U-M’s enhanced endpoint protection using CrowdStrike Falcon will provide significant protection against malicious activities that may be performed related to this and any other vulnerability.
INFORMATION FOR USERS:
In general, the best protection for your systems is to keep your software and apps up-to-date and to be sure CrowdStrike Falcon is installed on all university systems in your unit.
QUESTIONS, CONCERNS, REPORTS: Please contact ITS Information Assurance through the ITS Service Center.
Sincerely,
ITS Information Assurance
REFERENCES:
-
Git security vulnerabilities announced (GitHub Blog, 1/17/23)
-
Heap overflow in "git archive," "git log --format" leading to RCE (Git, 1/17/23)
-
gitattributes parsing integer overflow (Git, 1/17/23)
-
Git GUI Clone Remote Code Execution Vulnerability (Git, 1/17/23)
-
Announcement: Git 2.39.1 (lore.kernel.org, 1/17/23)