It’s time for developers to update their local Git installations following the discovery of a brace of vulnerabilities.
The worst of the two flaws (CVE-2022-24765) carries the potential of allowing an attacker to execute arbitrary commands.
Developers using Git for Windows or Git on a multi-user machine are most at risk, as an advisory by GitHub explains:
This vulnerability affects users working on multi-user machines where a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:\.git\config, which would cause all git invocations that occur outside of a repository to read its configured values.
Since some configuration variables (such as core.fsmonitor) cause Git to execute arbitrary commands, this can lead to arbitrary command execution when working on a shared machine.”
Software developers are advised to upgrade their systems to Git v2.35.2 in order to guard against potential attacks, which would rely on an attacker first gaining write access on a targeted system.
Developers who use Git on Linux or macOS are also affected by the CVE-2022-24765 flaw, albeit to a lesser extent. Patching in all cases is the recommended course of action but short of this, various mitigations are available, as detailed in GitHub’s advisory.
A second vulnerability (CVE-2022-24767) is limited to the Git for Windows uninstaller. As with the previous flaw, some level of compromised access is a prerequisite to potential attacks, as GitHub’s advisory explains.
Attacks would rely on planting malicious .dll files on a targeted system.
Users are advised to update to Git for Windows v2.35.2 but, again, a number of temporary mitigations offer a viable alternative.
Credit for discovering the vulnerability was given to Lockheed Martin’s red team.
GitHub offers a centralized location for Git repositories, hence its role in flagging up the requirement for software updates.
Source: https://portswigger.net/daily-swig/git-security-vulnerabilities-prompt-updates
