Get in Touch
No specific target industries have been identified at the time of writing. Targeting is likely to be opportunistic in nature.
Severity level: Critical – Compromise may result in the loss of confidentiality and integrity of data in the first instance.
On Wednesday 11th January, 2022, Git announced the release of two security vulnerability patches, pertaining to remote code execution (RCE) attack vectors. The previously-identified vulnerabilities ultimately allowed suspected threat actors to execute arbitrary code, subsequent to successfully exploiting heap-based buffer overflow weaknesses. X41 D-Sec security and GitLab security researchers have been credited with reporting on the vulnerabilities.
These vulnerabilities are being tracked as:
More specifically, the security researchers from the X41 organisation commented on the CVE-2022-23521 exploit as follows:
“The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. Another critical issue allows code execution during an archive operation, which is commonly performed by Git forges.”
CVE-2022-41903, another critical vulnerability, is triggered during an archive operation, resulting in code execution by way of an integer overflow flaw, that arises when formatting the commit logs. Commenting on this second vulnerability, the X41 D-Sec researchers stated:
“Additionally, a huge number of integer related issues was identified which may lead to denial-of-service situations, out-of-bound reads or simply badly handled corner cases on large input.”
It should also be noted that a third Windows-specific security flaw (CVE-2022-41953), impacting the Git GUI tool caused by an untrusted search path weakness, was detected to enable unauthenticated threat actors to execute untrusted code, leading to low-complexity attacks.
CVE-2022-41903 is associated with Git’s commit-formatting mechanism, used to display arbitrary information about commits and can be triggered directly via git log –format. When processing one of the padding operators (for example, %<(, %>(, etc.) an integer overflow can occur when a large offset is provided. It may also be triggered indirectly via Git’s export-subst mechanism, which applies the formatting modifiers to selected files when using git archive. As such, successful exploitation of CVE-2022-41903 will result in arbitrary heap reads and writes, which may result in remote code execution.
CVE-2022-235521 pertains to “gitattributes” which are used to define unique attributes corresponding to paths in a repository. The parser used to read these files contains multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with names of a significant length. These overflows may be triggered via a malicious .gitattributes file. However, Git automatically splits lines at 2KB when reading .gitattributes from a file, but not when parsing it from the index and as such, successfully exploiting this vulnerability depends on the location of the .gitattributes file in question. As with the previously mentioned vulnerability, successful exploit of this integer overflow can result in arbitrary heap reads and writes, which may result in RCE.
Git patched the aforementioned RCE vulnerabilities within the milieu of new versions dating back to v2.30.7. As such, previous versions of the software are vulnerable to the exploit.
The following Git versions have been detected to be susceptible to these vulnerabilities:
– Git for Windows: versions prior to and including v.2.39.0(2)
– Git: versions prior to and including v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0
Containment, Mitigations & Remediations
The most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.1.
While there are currently no options to circumvent the effects of CVE-2022-23521, Git recommends that users disable “git archive” in untrusted repositories as a mitigation strategy for CVE-2022-41903, in scenarios where updating to the latest version is not an option. In all such cases, the most effective way to defend against these vulnerabilities is to upgrade to the latest Git version release, namely v2.39.1. Users who cannot immediately update to address the CVE-2022-41903 critical RCE bug can also implement the following measures in order to ensure that threat actors cannot abuse the vulnerable Git functionality:
– Avoid invoking the –format mechanism directly with the known operators, and avoid running git archive in untrusted repositories
– If git archive is exposed via git daemon, consider disabling it if working with untrusted repositories by running git config –global daemon.uploadArch false
– Avoid using Git GUI on Windows when cloning untrusted repositories.
Indicators of Compromise
Due to confined security protocols, at the time of writing, Git has not disclosed the full details of the vulnerability until the majority of users update to the latest version of the respective software.
Git possesses approximately 83.11% of the source-code-management market share. Threat actors generally utilise a combination of probability and asset value, to decide which attack surfaces to spend their time on. As a result, the software system has become a prime target. Due to the fact that smartphones and tablets have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within such software in an attempt to extract the sensitive information contained therein.
No specific threat groups have been connected to this exploit.