Detected two vulnerabilities in Git leading to data leak and overwrite

vulnerability

If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems

Recently the publication of various corrective versions was announced distributed source control system Git spanning from version 2.38.4 to version 2.30.8, containing two fixes that remove known vulnerabilities affecting local clone optimizations and the "git apply" command.

As such, it is mentioned that these maintenance releases are to address two security issues identified under CVE-2023-22490 and CVE-2023-23946. Both vulnerabilities affect existing version ranges and users are strongly encouraged to update accordingly.

An attacker can remotely exploit a vulnerability to detect information. Also, an attacker can
exploit a vulnerability locally to manipulate files.

Normal privileges are required to exploit the vulnerabilities. Both vulnerabilities require user interaction.

The first identified vulnerability is CVE-2023-22490Which allows an attacker who controls the content of a cloned repository to gain access to sensitive data on a user's system. Two flaws contribute to the vulnerability:

  • The first flaw allows, when working with a purpose-built repository, to achieve the use of local cloning optimizations even when using a transport that interacts with external systems.
  • The second flaw allows placing a symbolic link instead of the $GIT_DIR/objects directory, similar to vulnerability CVE-2022-39253, which blocked the placement of symbolic links in the $GIT_DIR/objects directory, but the fact that the $GIT_DIR/objects directory itself was not checked may be a symbolic link.

In local clone mode, git moves $GIT_DIR/objects to the target directory by dereferencing symlinks, causing the referenced files to be copied directly to the target directory. Switching to using local clone optimizations for non-local transport allows a vulnerability to be exploited when working with external repositories (for example, recursive inclusion of submodules with the "git clone --recurse-submodules" command may lead to cloning of a malicious repository packaged as a submodule in another repository).

Using a specially crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport.
Although Git will cancel local clones whose source $GIT_DIR/objects directory contains symbolic links (cf, CVE-2022-39253), the objects of the directory itself can still be a symbolic link.

These two can be combined to include arbitrary files based on paths in the victim's file system within the malicious repository and the working copy, allowing data exfiltration similar to
CVE-2022-39253.

The second vulnerability detected is CVE-2023-23946 and this allows overwriting the content of files outside the directory working by passing a specially formatted input to the "git apply" command.

For example, an attack can be carried out when patches prepared by an attacker are processed in git apply. To prevent patches from creating files outside of the working copy, "git apply" blocks processing of patches that attempt to write a file using symlinks. But this protection turned out to be circumvented by creating a symlink in the first place.

Fedora 36 and 37 have security updates in 'testing' status which update 'git' to version 2.39.2.

Vulnerabilities are also they address with GitLab 15.8.2, 15.7.7, and 15.6.8 in Community Edition (CE) and Enterprise Edition (EE).

GitLab classifies the vulnerabilities as critical because CVE-2023-23946 allows the execution of arbitrary program code in the Gitaly environment (Git RPC service).
At the same time, embedded Python will be Update to version 3.9.16 to fix more vulnerabilities.

Finally For those interested in knowing more about it, you can follow the release of package updates in distributions on the pages of DebianUbuntuRHELSUSE/openSUSEFedoraArchFreeBSD.

If it is not possible to install an update, it is recommended as a workaround to avoid running “git clone” with the “–recurse-submodules” option on untrusted repositories, and not to use “git apply” and “git am” commands with code not verified.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.