Security Researcher Dawid Golunski has discovered a new critical vulnerability in an open-source extension of Git called Git LFS (Large File Storage). Git LFS is the extension for versioning large files. The vulnerability named CVE-2020-27955 is high risk & can give attackers the ability for remote code execution. They only need to trick the victim (assuming they use Windows) into cloning a malicious repository set up by the attacker. This can easily be done using a Git version control tool.
The researcher has also admitted that hosted repositories running on Windows or applications that allow repositories to be imported via a URL might also be exposed to this vulnerability. The vulnerability can be exploited in various famous Git clients, in configurations, viz. Visual Studio Code, GitKraken, SourceTree, SmartGit, GitHub CLI, GitHub Desktop and more.
How can Git LFS vulnerability harm?
The Git LFS doesn’t specify a complete path for executing a new git binary process through any specific exec. Command () function. The vulnerability could be exploited to get a backdoor entry to the root directory of a malicious repository easily. All they had to do was to add an executable file on the victim’s Windows system. This file can have any executable extension like –
This will result in the automatic execution of the malicious git binary in place of the original git binary which is located in a trusted path.
The vulnerability could be easily triggered if the victim mistakenly employs a vulnerable Git version control tool. This might happen if they are tricked into cloning the attacker’s malevolent repository. The vulnerability is trivial & attackers can easily take advantage of it. A PoC exploit code along with a video demonstration of the exploit in action on various Git clients has been released. Golunski has explained the vulnerability in thorough detail on his website.
The only solution: Update
Systems affected by the vulnerability CVE-2020-27955 were those with a Git version 2.29.2 or prior on the Windows Systems (Windows Server 2019, Windows 10 prof and more except Unix) with a Git Windows Package installed by default. This packaged has an installed Git LFS extensions’ versions 2.12 or prior.
Git LFS has released a patched version of the Git LFS in their latest release which can be installed. The patched version v2.12.1 was released soon after the vulnerability was reported. Also, as a preventive measure, one must stay away from any & all untrusted repositories.
Git LFS has resolved the vulnerability responsibly in due time, but that is not to say that one can be careless. It is the users’ responsibility to stay safe of any untrustworthy repositories, as hey might become the reason to malevolent entities exploiting the vulnerability. The best way to prevent this is to update to the latest version of Git LFS.