Git LFS Remote Code Execution Threat Intel Advisory

Published on November 13, 2020 | 19:30 IST

Share this Advisory:

Type
Advisory
CVE
2020-27955
Target
Git <= 2.29.2
Severity 
Critical

Git is an open source version control system that manages very small to complex software projects and plays a significant role in the development and operations (DevOps) pipeline. Git-LFS (Large File Storage) is a free extension that allows the versioning of extremely large files by storing the contents on a remote server like Github.com/Github Enterprise. All Git versions [ <= 2.29.2] come with vulnerable LFS extensions, hence an attacker can exploit the target application leading to arbitrary code execution on the victim host system.

The victim downloads the repository controlled by the attacker, hosted on github to trigger RCE, where the attacker includes malicious “git” executable in their repository to get command execution on the victim. This “git” executable contains the malicious payload. The malicious git can have the following extensions:

  • git.bat
  • git.exe
  • git.vbs
  • git.cmd

Vulnerable code in the LFS extension does not use the full path of the “git” executable on the system while executing commands. As a result, the git binary is loaded from the current directory which is very dangerous as the executable can be controlled by the attacker. When an attacker-controlled repository is cloned to the victim’s computer, the LFS extension will execute the malicious git executable (which is present in the attacker’s repository) without user intervention. Now the attacker gains command execution (in the security context of the victim) on the remote victim computer.

Impact

Technical Impact
  • Privilege escalation and owning of the target system to take complete control of the victim
  • Data exfiltration and lateral movement to compromise domain controller/ network
  • Malware deployment to further the attack deeper into the network
Business Impact 
  • Compromising the production code, making proprietary code public by posting it on dark web forums
  • Leakage of critical product information and planning data
  • Increased cost due to delays in development pipeline
  • Attackers install backdoor in ongoing projects leading to cascading issues and subsequent loss of reputation

Mitigations

The vendor has updated the latest version of the binaries with required patches to solve the issue, which can be found here:

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.