Git RCE Vulnerability (CVE-2018-17456)Security Advisory

1 Vulnerability Overview

Recently, the Git project disclosed CVE-2018-17456, a vulnerability in Git that can cause arbitrary code execution when a user clones a malicious repository. An attacker can take control of a target host by exploiting this vulnerability and at the same time using social engineering methods such as phishing. Git encourages all users to update their clients to protect themselves.

Similar to CVE-2017-1000117, this vulnerability can cause option injection attacks related to submodules. It allows the URL field in the .gitModule file to start with a dash (-). As a result, when performing the “git clone” operation, the process interprets this URL as an option, thus leading to arbitrary code execution.

Reference link:

https://blog.github.com/2018-10-05-git-submodule-vulnerability/

2 Scope of Impact

Affected versions:

• Git 2.14.*< 2.14.5
• Git 2.15.*< 2.15.3
• Git 2.16.*< 2.16.5
• Git 2.17.*< 2.17.2
• Git 2.18.*< 2.18.1

Unaffected versions:

• Git 2.19.1
• Git 2.18.1
• Git 2.17.2
• Git 2.16.5
• Git 2.15.3
• Git 2.14.5

Software embedded with Git is also affected by this vulnerability, as shown in the following table.

3 Check for the Vulnerability

Version Check

Users can run the following command to check the version of Git in use and determine whether the version is affected by the vulnerability by reference to chapter 2 Scope of Impact.

git –version

4 Vulnerability Protection

The Git project has released new versions to patch the vulnerability in question. Affected users should download these updates as soon as possible to protect themselves. Before the upgrade, users should avoid cloning untrusted repositories to protect their systems.

Following are links to the updates for different operating systems:

• Windows:

https://git-scm.com/download/win

• Mac OS X:

https://git-scm.com/download/mac

• Linux:

https://git-scm.com/download/linux

For example, for a Windows environment, users can directly download the latest version from the first link listed above and then install it, which will overwrite the earlier version. Alternatively, they can run the following command to upgrade Git for Windows:

git update-git-for-windows

GitHub Desktop and Atom contain an earlier version of GitLab and so are also affected by this vulnerability, for which the Git project has also released a corresponding update. Affected users are advised to upgrade their software as soon as possible.

• Disclaimer Statement and Company Profile
  • Disclaimer Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

• About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

http://www.nsfocusglobal.com.

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.