Git Vulnerability Leads to Remote Code Execution

A new version of the widely used Git version control system fixes a vulnerability that allows malicious code repositories to execute code on client computers when being cloned.

Originally created for Linux kernel development, Git is an open source tool that’s now used by most software developers from around the world to manage and work with source code repositories. The software is used by GitHub, Microsoft’s Visual Studio Team Services and other web-based collaborative code hosting services.

AWS Builder Community Hub

Git version 2.17.1, released May 28, contains fixes for two vulnerabilities tracked as CVE-2018-11233 and CVE-2018-11235. Of these, CVE-2018-11235 is the more serious one and can lead to remote code execution.

To exploit the vulnerability, attackers can create malicious repositories with a specially crafted submodule name in the .gitmodules files. If a user clones this repository using their local Git client, a malicious project can execute arbitrary scripts on their computers.

“The problem is that when you git clone a repository, there is some important configuration that you don’t get from the server,” Edward Thomson, program manager for Visual Studio Team Services at Microsoft, explained in a blog post. “This includes the contents of the .git/config file, and things like hooks, which are scripts that will be run at certain points within the git workflow. For example, the post-checkout hook will be run anytime git checks files out into the working directory.

“This configuration is not cloned from the remote server because that would open a dangerous vulnerability: that a remote server could provide you code that you would then execute on your computer,” Thomson said. “Unfortunately, with this submodule configuration vulnerability, that’s exactly what happens. Since the submodule’s repository is checked in to the parent repository, it’s never actually cloned. The submodule repository can therefore actually have a hook already configured.”

Thomson advises users to update their Git clients, including Git for Windows. The patch has also been backported to Git versions 2.13.7, 2.14.4, 2.15.2 and 2.16.4.

In addition to client patches, Git hosting services including GitHub and Visual Studio Team Services have also developed server-side mitigations that prevent users from pushing repositories with malicious configurations to their servers.

The second vulnerability patched in the new Git versions, CVE-2018-11233, could allow attackers to “trick the code that sanity-checks paths on NTFS” to read random pieces of memory.

U.S. Government Ties Two Malware Programs to North Korea

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have found evidence tying two families of malware known as Joanap and Brambul to the North Korean government.

“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC [indicators of compromise] files—to maintain a presence on victims’ networks and enable network exploitation,” the U.S. Computer Emergency Readiness Team (US-CERT), said in a new technical alert. “DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity.”

Joanap is a remote access Trojan (RAT) that allows hackers to execute commands on infected computers. It is distributed either from websites compromised by the Hidden Cobra group or through email attachments.

Brambul is a computer worm that spreads by brute-forcing access to other computers via the Windows SMB protocol commonly used on local networks. Once a new system is infected, the worm notifies the Hidden Cobra attackers via email. The latest versions of the malware allow attackers to harvest system information and to execute a suicide script.

“According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors,” the US-CERT said in its advisory.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin