The security review of Git exposes serious overflow glitches. The found weaknesses encapsulate a range of high, medium, and low-risk security problems.
An examination of Git’s source code for security loopholes has unveiled numerous weak spots, with two serious overflow glitches among them.
The examination, backed by the Open Source Technology Improvement Fund (OSTIF) and executed by X41 D-Sec and GitLab, also identified a range of serious, moderate, and minor issues.
Considering how widely used Git is and its incorporation into prevalent packaging systems, any security flaws could greatly affect the safety of the software supply chain.
Malicious duplication scheme
The most critical vulnerability found by the researchers was a memory impairment error that got activated when Git would interpret the .gitattributes file of a repository. Developers employ .gitattributes to personalize the way Git manages different files and file pathways in repositories, including line terminations, file encodings, and beyond.
The investigators found that a considerable attribute line or a multitude of attribute lines in .gitattributes could trigger a counter overflow in the function responsible for interpreting the file, which could potentially result in arbitrary code execution.
ENJOYING THE DAILY SWIG? Share your thoughts and stand a chance to bag some cool Burp Suite merchandise.
A perpetrator could take advantage of the glitch by introducing a harmful .gitattributes file into a repository. The glitch would activate when the unsuspecting user carried out a git clone or git pull operation on the repository.
Given that the glitch doesn’t necessitate any specific instructions or directives on the targeted user’s system, it holds the potential to play a significant role in perilous supply chain assaults.
“Should hackers manage to infiltrate a well-known library, it could potentially affect the git clients utilizing it. This could even extend to those who use standard package systems for software installation,” shared Markus Vervier, the Managing Director at X41 D-Sec, in a conversation with The Daily Swig.
The glitch could potentially be manipulated to compromise Git servers like GitHub or GitLab, as mentioned by Vervier. However, he also clarified that patches have already been applied to both GitLab and GitHub.
Attractive yet harmful
The second major flaw the investigators uncovered could enable code execution during archive activities typically carried out by Git platforms like GitHub and GitLab.
The commands of git log and git archive have the capability to showcase commits in an aesthetically pleasing format. However, while managing padding operators, there’s a risk of an integer overflow happening in the pretty format parser, especially if a unique format specifier pattern is employed.
The overflow bug gets activated immediately when a user operates the git log command using the –format specifier. Alternatively, it can also be indirectly prompted if the git archive command is utilized through the export-subst process.
Dive deeper into the most recent updates on DevSecOps
The bug can be activated by an attacker via an argument injection to the git log command, verified GitLab security engineer Joern Schneeweisz while speaking to The Daily Swig. However, he pointed out that the git archive operation presented a more intriguing method of attack.
The intruder has the ability to incorporate an export-subst declaration in the repository’s .gitattributes file, as explained by Schneeweisz. This would set off the glitch using a git archive command, and it wouldn’t require any inserted arguments.
“Schneeweisz explained that the payload would be stored independently within the repository and activated by using the git archive command. Since the use of git archive on random repositories is a frequent practice for Git forges such as GitLab and GitHub, this problem primarily poses a threat to them in the form of remote code execution (RCE),” said the expert.
The risk in the supply chain
Aside from the crucial weaknesses, the investigators discovered numerous problems connected to integers that could result in service denial, out-of-bound reading, or just poorly managed extreme scenarios on large input. Vervier noted that these findings were significantly pertinent to the security of software supply chains.
“In the present IT environment, Git essentially serves as the paramount conduit for supply chain attacks, given its extensive use in package managers like Rust/Cargo, Golang, NodeJS, and more. Furthermore, it’s the most popular tool for tracking changes in source code during development,” he explained.
