Git security vulnerabilities prompt updates

Reading Time: 1 Minute

It’s time for developers to update their local Git installations following the discovery of a brace of vulnerabilities.

The worst of the two flaws (CVE-2022-24765) carries the potential of allowing an attacker to execute arbitrary commands.

Developers using Git for Windows or Git on a multi-user machine are most at risk, as an advisory by GitHub explains:

This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values.

Since some configuration variables (such as core.fsmonitor) cause Git to execute arbitrary commands, this can lead to arbitrary command execution when working on a shared machine.”

Developers who use Git on Linux or macOS are also affected by the CVE-2022-24765 flaw, albeit to a lesser extent. Patching in all cases is the recommended course of action but short of this, various mitigations are available, as detailed in GitHub’s advisory.

A second vulnerability (CVE-2022-24767) is limited to the Git for Windows uninstaller. As with the previous flaw, some level of compromised access is a prerequisite to potential attacks, as GitHub’s advisory explains.

Attacks would rely on planting malicious .dll files on a targeted system.

Users are advised to update to Git for Windows v2.35.2 but, again, a number of temporary mitigations offer a viable alternative.

Credit for discovering the vulnerability was given to Lockheed Martin’s red team.

GitHub offers a centralized location for Git repositories, hence its role in flagging up the requirement for software updates.

See Also: Offensive Security Tool: Scapy

See Also: Hacking stories: MafiaBoy, the hacker who took down the Internet

Source: portswigger.net

Source Link