A major Git security vulnerability has been discovered and has forced GitHub to issue a warning and request for users to update their Git clients.
According to a GitHub blog post, the vulnerability affects “all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. ”
Due to the vulnerability, GitHub is encouraging all of its users of GitHub and GitHub Enterprise to update their Git clients and be “particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.”
Here’s how the vulnerability works:
Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own
.git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.
Bryan Helmkamp, CEO and Founder of CodeClimate said the attacks are significant for a number of reasons:
@alexwilliams 2) compromise an existing Git repo, then use this to takeover the machines of all devs who access it
— Bryan Helmkamp (@brynary) December 18, 2014
The blog post explains that Github verifies and blocks malicious trees that trigger the vulnerability. They say that means repositories on github.com are protected. To further address the issue, GitHub has done a scan of existing content on
github.com in search of “malicious content that might have been pushed to our site before this vulnerability was discovered.”
According to GitHub, more details on the vulnerability can be found in the official Git mailing list announcement and on the git-blame blog.