Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository.
Developers behind the open-source development Git tool pushed out Git 2.17.1, addressing two bugs (CVE-2018-11233 and CVE-2018-11235).
“These are tricky vulnerabilities that will require the Git hosting services to patch, but also individual developers who are using the tool,” said Tim Jarrett, senior director of security, Veracode.
Of the two vulnerabilities, CVE-2018-11235 is the most worrisome, researchers said.
The vulnerability is described as a submodule configuration flaw that surfaces when the Git submodule configuration is cloned. Git provides developers with post-checkout hooks, which are executed within the context of the project. Those hooks can be defined within the submodules, and submodules can be malicious and directed to execute code.
“The software does not properly validate submodule ‘names’ supplied via the untrusted .gitmodules file when appending them to the ‘$GIT_DIR/modules’ directory. A remote repository can return specially crafted data to create or overwrite files on the target user’s system when the repository is cloned, causing arbitrary code to be executed on the target user’s system,” according to a SecurityTracker description of the flaw.
The concern is that a rogue submodule can trick the Git into running code it shouldn’t outside the context of the repository. “This allowed an adversary to exfiltrate data, pull down a web shell, plant a cryptominer or just totally own the machine that the Git repository or (Git) clone is being run on,” Jarrett said.
He noted that the vulnerabilities are unusual, because the bugs allow adversaries to target the developer tool chain rather than the software itself.
Edward Thomson, a Microsoft program manager for the Visual Studio Team Services, explains the patch to mitigate the bug is simple. “Submodule folder names are now examined more closely by Git clients,” he wrote in a post outlining Microsoft’s fix on Tuesday. “They can no longer contain
'..' as a path segment, and they cannot be symbolic links, so they must be within the
.gitrepository folder, and not in the actual repository’s working directory.”
“Git will now refuse to work with repositories that contain a submodule configuration like this. And Visual Studio Team Services — along with most other hosting providers — will actively reject you from pushing repositories that contain such a submodule configuration, to help protect clients that haven’t yet upgraded,” Thomson continued.
Researcher Etienne Stalmans is credited for discovering the vulnerability via GitHub’s bug bounty program. Credit for fixing the bugs goes to Jeff King and Johannes, Schindelin and others. The patches made available Tuesday cover both CVEs.
“In addition to the above fixes, this release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients by preventing malicious contents from spreading,” according to the Git alert.