Recent security assessments have identified multiple vulnerabilities, including various high, medium, and low-risk issues.
A comprehensive security audit of Git’s source code has unveiled numerous vulnerabilities, notably two critical overflow bugs.
Conducted by X41 D-Sec and GitLab and backed by the Open Source Technology Improvement Fund (OSTIF), the audit also highlighted various high, medium, and low-severity concerns.
Given Git’s widespread usage and its association with numerous popular packaging systems, these vulnerabilities pose a significant threat to the integrity of the software supply chain.
Severe Memory Corruption Issue
The primary concern identified by the researchers was a memory corruption vulnerability triggered when Git analyzes repository files. Developers customize these files to dictate how Git interacts with different file types and paths, including aspects like line endings and file encodings.
It was found that if the file contained excessively long attribute lines or an excessive number of attribute lines, it could lead to a counter overflow during file parsing, allowing for arbitrary code execution.
ENJOYING THE DAILY SWIG? Share your thoughts for a chance to win Burp Suite merchandise
An attacker could exploit this vulnerability by submitting a malicious file to a repository, activating the bug when the target user executes specific commands on that repository.
Because this bug doesn’t require any special commands or parameters from the victim’s system, it could play a crucial role in sophisticated supply chain attacks.
“If attackers can embed it in a widely-used library, it could affect all Git clients relying on it, extending to anyone using popular package systems for software installations,” stated Markus Vervier, managing director at X41 D-Sec, during an interview with The Daily Swig.
This vulnerability could also be used against Git servers like GitHub or GitLab, although both platforms have reportedly patched the issue, according to Vervier.
Exploiting Archive Operations
The second critical vulnerability identified would enable code execution during standard archive operations, particularly in Git hosting services like GitHub and GitLab.
The commands utilized for displaying commits can inadvertently invoke integer overflow in the format parser due to certain special format specifiers.
This overflow can be triggered directly through specific commands or indirectly via other mechanisms.
As confirmed by GitLab security engineer Joern Schneeweisz, an attacker could initiate the vulnerability through argument injection. However, a more intriguing attack vector was linked to an operation that could activate the bug without needing any injected arguments.
“The payload can reside solely within the repository and is activated by executing a specific command,” Schneeweisz explained. “Since executing commands across various repositories is a common practice for platforms like GitLab and GitHub, this vulnerability primarily poses a remote code execution threat for these services.”
Widespread Supply Chain Risks
Beyond the critical issues, the researchers also detected several integer-related problems that could result in denial-of-service, out-of-bound reads, or inadequate handling of edge cases with substantial input. Vervier emphasized the significance of these findings concerning software supply chain security.
“In today’s IT environment, Git stands as a pivotal threat vector for supply chain attacks, as it is widely used even by package managers such as Rust/Cargo, Golang, and NodeJS among others. Moreover, it is the go-to source code versioning tool for development,” he noted.
SUGGESTED READING An Examination of the CircleCI: DevOps Platform’s Post-Mortem on Recent Security Breach
Based on an article from ports199.com: https://portswigger.net/daily-swig/git-security-audit-reveals-critical-overflow-bugs
