The distributed revision control system Git is affected by a serious vulnerability that could be exploited by an attacker to execute arbitrary commands and take over a developer’s machine.
The flaw (CVE-2014-9390) affects all versions of the official Git client and related software that interacts with Git repositories. Git 2.2.1 has been released to address the issue, but updates have also been made available for older maintenance tracks (184.108.40.206, 1.9.5, 2.0.5, 2.1.4).
The vulnerability, which affects users running Windows and Mac OS X, was discovered by the developers of the cross-platform, distributed revision control tool Mercurial. They initially identified the security hole in Mercurial, but after further investigation, they determined that Git is affected as well.
GitHub for Windows and GitHub for Mac have been updated to address the vulnerability. GitHub says GitHub Enterprise and github.com are not directly affected, but users are advised to update their clients as soon as possible.
Maintenance versions that include the fix for this flaw have also been released for libgit2 and JGit, two major Git libraries. Since Microsoft uses libgit2 in Visual Studio products, the company has rolled out patches for Visual Studio Online, Codeplex, Visual Studio Team Foundation Server (TFS) 2013, Visual Studio 2013 RTM, Visual Studio 2013 Update 4, and for the VS 2012 VSIX extension.
Apple’s integrated development environment Xcode also uses Git. The issue has been addressed by adding additional checks in Xcode 6.2 beta 3.
The disclosure of the vulnerability and the release of patches have been coordinated by all affected parties.
“The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” GitHub’s Vicent Marti explained in a blog post.
Marti noted that the flaw doesn’t affect Linux clients if they run in a case-sensitive filesystem. However, Junio Hamano, who has maintained Git since 2005, has pointed out that some Linux users might also have to take measures.
“Even though the issue may not affect Linux users, if you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git,” Hamano said in an advisory.
Microsoft’s Brian Harry believes that an attack leveraging this vulnerability is likely to work only in certain environments.
“For someone to do this to you, they have to have commit rights to a repo that you pull from. Inside a corporation, that would likely have to be an attack from the inside. The most likely (not only, but most likely) scenario here is in some small OSS project. Large ones generally have pretty well known/trusted committers,” Harry said.
“This vulnerability certainly got our attention, as Metasploit uses git and GitHub extensively,” Tod Beardsley, Metasploit engineering manager at Rapid7, told SecurityWeek.
“It won’t be easy to ‘weaponize’ this for indiscriminate use,” Beardsley said. “The Metasploit community is very familiar with git. So, I would expect to see an exploit released from the community sooner rather than later, primarily to demonstrate the risk in these types of cases.”
*Updated with additional commentary