Other official information and services: www.belgium.be

Warning: Git Has A Critical Vulnerability That Can Lead To Remote Code Execution When Cloning A Repository

Reference:

Advisory #2024-69

Version:

1.0

Affected software:

Git prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 and 2.39.4

Type:

• CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434 - Unrestricted Upload of File with Dangerous Type

CVE/CVSS:

CVE-2024-32002 :CVSS 9.1(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Datum:

21/05/2024

Sources

https://nvd.nist.gov/vuln/detail/CVE-2024-32002

https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv

Risks

The vulnerability in Git prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2 and 2.39.4, stems from the improper handling of symbolic links and case-insensitive filesystems during the cloning of repositories with submodules.

Successful exploitation can allow an attacker to execute arbitrary code with the same privileges as the user running Git without this user being able to inspect this code. This has a high impact on confidentiality, integrity and availability. No active exploitation of this vulnerability has been seen yet at the time of writing, but there is a proof-of-concept available.

Description

CVE-2024-32002, with a CVSS score of 9.1, is a vulnerability in Git, where it can be fooled when cloning malicious repositories with submodules to write to the ‘.git/’ directory instead of the submodule’s worktree by exploiting a case-sensitive naming conflict between a directory and a symbolic link.. In this way, an attacker could write a hook that will be executed while cloning without the user first being able to inspect the repository. This attack only works if symbolic link support is enabled.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Affected versions: v2.45.0 v2.44.0 <=v2.43.3 <=v2.42.1 v2.41.0 <=v2.40.1 <=v2.39.3
Patched versions: v2.45.1 v2.44.1 v2.43.4 v2.42.2 v2.41.1 v2.40.2 v2.39.4

There is also a workaround described in the GitHub advisory, that is, disabling symbolic link support via the command: `git config --global core.symlinks false`.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://access.redhat.com/security/cve/cve-2024-32002