Nine critical Git vulnerabilities found; GitHub recommends update ASAP

Nine security vulnerabilities were recently found in GitHub’s open source version control system, so the platform strongly asks its users to implement a series of “critical Git project updates” to prevent exploit risks, vulnerability testing experts mentioned.

In its security report, GitHub mentions that these vulnerabilities could allow a hacker to overwrite arbitrary paths, run remote code, and even overwrite files in the .git/ directory.  

Initially, the Git project was created to allow
the development of the Linux kernel. This program identifies the changes made
to a file, and also allows the creation of repositories and a git/ folder
within another project. According to the vulnerability testing experts, a Git
vulnerability could be exploited to extract commercial IPs or for code sabotage

One of the found vulnerabilities is
CVE-2019-1350, exploitable by wrong quoting command-line arguments, allowing
remote code execution during a recursive clone along with SSH URLs, says
Johannes Schindelin of the Git project.

“The problem is unique to Windows, as
vulnerable code is only compiled on this system. The exploit found involves a
sub module and a malicious SSH URL created to exploit the vulnerability,”
Schindelin says.

Joern Schneeweisz, GitLab’s vulnerability testing
expert, reported the vulnerability, in conjunction with the Security Incident
Response Center. Since June 2018, GitHub is owned by Microsoft,
so the platform is under constant surveillance from the tech giant’s security
teams. In the vulnerability report, GitHub adds: “If a user decides to
clone an unreliable repository, there is no way to avoid the risk of exploiting
the discovered vulnerabilities”.

The full list of vulnerabilities found

  • CVE-2019-1348:
    the –export-marks option of git fast-import is also exposed through the
    in-stream export-marks command function… allowing you to overwrite arbitrary
  • CVE-2019-1349:
    When submodules are cloned recursively, in certain circumstances Git can be
    tricked into using the same Git directory twice
  • CVE-2019-1350:
    Incorrect citations of command-line arguments allow remote code execution
    during a recursive clone along with SSH URLs
  • CVE-2019-1351:
    While the only drive letters allowed for physical drives on Windows are letters
    of the EU English alphabet, this restriction does not apply to virtual drives
    assigned through sub-<letter>: <path>. Git mistook such paths for
    relative paths, allowing you to write out of the work tree during cloning
  • CVE-2019-1352:
    Git is unaware of NTFS alternative data streams, allowing files within the
    .git/ directory to be overwritten during cloning
  • CVE-2019-1353:
    When running Git on the Windows for Linux subsystem, when accessing a working
    directory on a regular Windows drive, none of the NTFS protections are active
  • CVE-2019-1354:
    File names on Linux/Unix may contain backslashes. On Windows, backslashes are
    directory separators. Git doesn’t usually refuse to write crawled files with
    such file names
  • CVE-2019-1387:
    Recursive clones are currently affected by a vulnerability caused by overly lax
    validation of sub-module names, allowing for very specific attacks through
    remote code execution on recursive clones

Like GitHub, vulnerability testing specialists
at the International Institute of Cyber Security (IICS) recommend upgrading as
soon as possible to prevent any risk of exploitation.

To Top

Pin It on Pinterest

Share This