Git, originally created for Linux kernel development, is open-source software that developers worldwide utilize to manage source code repositories, tarballs, and to track changes in files.
The software is an example of a Distributed Version Control System (DVCS) and is used by companies large and small, including Microsoft, Google, Facebook, Gnome, and PostgreSQL.
The vulnerability, CVE 2018-11235, occurs due to the management of remote repository definitions and data.
Remote repositories may contain definitions for submodules -- and data -- which are contained and checked in to the parent repository as a folder. When this repository is cloned, Git checks the parent system before preparing to clone related submodules.
As the submodule's repository already exists on disk, full cloning is skipped and the software will only check the on-disk version.
When you use Git to clone a repository, some configuration elements are also intentionally left out to prevent remote servers from fetching and executing code on remote systems. Some of the configurations left out including the content of the .git/config file and hook scripts.
The vulnerability, however, allows exactly this to happen.
Edward Thomson, program manager for Visual Studio Team Services (VSTS) at Microsoft explained in a blog post that "since the submodule's repository is checked in to the parent repository, it's never actually cloned."
"The submodule repository can therefore actually have a hook already configured," Thomson explained. "If when you recursively cloned (and this repository does have to be cloned with -- recursive for this vulnerability to manifest) this carefully crafted malicious parent repository, it will first check out the parent, then read the submodule's checked-in repository in order to write the submodule to the working directory, and finally it will execute any post-checkout hooks that are configured in the submodule's checked-in repository."
The solution to a problem which could lead to remote code execution attacks has turned out to be rather simple. Git clients will now investigate submodule folder names more closely and they must be present within the .gitrepository folder, rather than working directories.
Another bug, CVE-2018-11233, has also been patched. This vulnerability is related to sanity-check pathnames on NTFS and, if exploited, can result in reading out-of-bounds memory.
The security flaws have been resolved in the latest update of the software, Git v2.17.1, as well as older maintenance tracks.
Git for Windows 2.17.1 (2) also includes a fix. Microsoft has further mitigated the major vulnerability by blocking malicious repositories from being pushed to VSTS.
The update also includes Git server-side support to reject pushes to repositories that attempt to create malformed .gitmodules files. The developers of Git say that this should "help hosting sites protect their customers with older clients by preventing malicious contents from spreading."
Credit was given to security researcher Etienne Stalmans for discovering and reporting the security issue.