GitHub is strongly encouraging all Mac OS X and Windows users of GitHub and GitHub Enterprise to update their Git clients as soon as possible.
The GMANE mailing list published the details of a critical arbitrary code execution vulnerability affecting all versions of the official Git client and all related software that interacts with Git repositories. GitHub’s Vicent Marti warned users in a blog post that the flaw affects GitHub for Windows and Mac. He also stressed that the bug exists on the client-side and, therefore, does not directly affect github.com or GitHub Enterprise.
While the bugs addressed by the update are said to not affect typical Linux and Unix users, those that run hosting services are being encouraged to install the update in case customers or clients are fetching from those hosting services to Windows or OS X machines.
According to Marti, the vulnerability relates to Git and Git-compatible clients accessing “Git repositories in a case-insensitive or case-normalizing filesystem.” Attackers can craft malicious Git trees causing Git to overwrite its own .git/config file while it clones or checks a repository. This error can leas to arbitrary command execution on the client machine.
In case it’s not obvious from the post: There are no malicious repos in @github and they can’t be pushed anymore. Update your Git anyway.
— Vicent Martí (@vmg) December 18, 2014
In an email interview, Tod Beardsley, a Metasploit engineering manager at Rapid7, told Threatpost that this vulnerability certainly got his attention.
“The risk here involves a github repository that overwrites a local configuration file for, practically always, Windows and OSX git users,” Beardsley wrote. “This is a client-side exploit, so the target would already need to trust the attacker, or the attacker would need to impersonate a legitimate and trusted source to then wait for a client to connect. It won’t be easy to ‘weaponize’ this for indiscriminate use. The Metasploit community is very familiar with git. So, I would expect to see an exploit released from the community sooner rather than later, primarily to demonstrate the risk in these types of cases.”