Nine critical Git vulnerabilities found; GitHub recommends update ASAP

Nine security vulnerabilities were recently found in GitHub’s open source version control system, so the platform strongly asks its users to implement a series of “critical Git project updates” to prevent exploit risks, vulnerability testing experts mentioned.

In its security report, GitHub mentions that these vulnerabilities could allow a hacker to overwrite arbitrary paths, run remote code, and even overwrite files in the .git/ directory.  

Initially, the Git project was created to allow the development of the Linux kernel. This program identifies the changes made to a file, and also allows the creation of repositories and a git/ folder within another project. According to the vulnerability testing experts, a Git vulnerability could be exploited to extract commercial IPs or for code sabotage purposes.  

One of the found vulnerabilities is CVE-2019-1350, exploitable by wrong quoting command-line arguments, allowing remote code execution during a recursive clone along with SSH URLs, says Johannes Schindelin of the Git project.

“The problem is unique to Windows, as vulnerable code is only compiled on this system. The exploit found involves a sub module and a malicious SSH URL created to exploit the vulnerability,” Schindelin says.

Joern Schneeweisz, GitLab’s vulnerability testing expert, reported the vulnerability, in conjunction with the Security Incident Response Center. Since June 2018, GitHub is owned by Microsoft, so the platform is under constant surveillance from the tech giant’s security teams. In the vulnerability report, GitHub adds: “If a user decides to clone an unreliable repository, there is no way to avoid the risk of exploiting the discovered vulnerabilities”.

The full list of vulnerabilities found includes:

  • CVE-2019-1348: the –export-marks option of git fast-import is also exposed through the in-stream export-marks command function… allowing you to overwrite arbitrary routes
  • CVE-2019-1349: When submodules are cloned recursively, in certain circumstances Git can be tricked into using the same Git directory twice
  • CVE-2019-1350: Incorrect citations of command-line arguments allow remote code execution during a recursive clone along with SSH URLs
  • CVE-2019-1351: While the only drive letters allowed for physical drives on Windows are letters of the EU English alphabet, this restriction does not apply to virtual drives assigned through sub-<letter>: <path>. Git mistook such paths for relative paths, allowing you to write out of the work tree during cloning
  • CVE-2019-1352: Git is unaware of NTFS alternative data streams, allowing files within the .git/ directory to be overwritten during cloning
  • CVE-2019-1353: When running Git on the Windows for Linux subsystem, when accessing a working directory on a regular Windows drive, none of the NTFS protections are active
  • CVE-2019-1354: File names on Linux/Unix may contain backslashes. On Windows, backslashes are directory separators. Git doesn’t usually refuse to write crawled files with such file names
  • CVE-2019-1387: Recursive clones are currently affected by a vulnerability caused by overly lax validation of sub-module names, allowing for very specific attacks through remote code execution on recursive clones

Like GitHub, vulnerability testing specialists at the International Institute of Cyber Security (IICS) recommend upgrading as soon as possible to prevent any risk of exploitation.