Git Vulnerability Exposed; Patch Now or Be Hacked Later

A vulnerability in the widely used Git open-source development tool has been revealed, but there is a patch.

vulnerability found and patched

Git users, it's time to update. A new vulnerability has been reported and was patched on Dec. 18 in the widely used open-source Git source-code management system.

The vulnerability has been identified as CVE-2014-9390 and impacts Git clients running on Windows and Mac OS X. Git is an open-source source-code management system used by developers on Linux, Windows and Mac OS X, and includes both a host server-side component as well as a local client on developer machines. Git is also the open-source technology behind the popular GitHub code repository.

Linus Torvalds, best known as the creator of the open-source Linux operating system, developed Git. Somewhat ironically, the author of the rival Mercurial open-source version control system first discovered the CVE-2014-9390 issue, which also impacts Mercurial.

"The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem," a GitHub blog post warns. "An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine."

The fix for the CVE-2014-9390 vulnerability is now present in the new Git v2.2.1 release and has also been patched in Mercurial version 3.2.3

Although the issue only directly affects Windows and Mac OS X users, Linux users are also being advised to be cautious.

"Even though the issue may not affect Linux users, if you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git," Git developer Junio Hamano wrote in a Git mailing list posting.

The Git vulnerability has got the attention of security researchers as well, including Tod Beardsley, who is the Metasploit engineering manager at Rapid7. Metasploit is a popular open-source penetration-testing framework. Beardsley commented that Metasploit uses Git and GitHub extensively, so the new vulnerability immediately got his attention.

"The risk here is an evil GitHub respository that overwrites a local configuration file for Windows and OS X Git users," Beardsley told eWEEK. "It's a client-side exploit, so an attacker would either already need to be trusted by the target, or impersonate a legitimate, trusted source and wait for a client to connect."

Metasploit is often the first place where new exploits come for security researchers to be able to test vulnerabilities. It is likely that an exploit for CVE-2014-9390 will find its way into Metasploit at some point to be able to demonstrate the vulnerability.

"Given the familiarity of the Metasploit community with Git, I would expect to see an exploit emerge from the community in fairly short order," Beardsley said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.