Git is an open source version control system that manages very small to complex software projects and plays a significant role in the development and operations (DevOps) pipeline. Git-LFS (Large File Storage) is a free extension that allows the versioning of extremely large files by storing the contents on a remote server like Github.com/Github Enterprise. All Git versions [ <= 2.29.2] come with vulnerable LFS extensions, hence an attacker can exploit the target application leading to arbitrary code execution on the victim host system.
The victim downloads the repository controlled by the attacker, hosted on github to trigger RCE, where the attacker includes malicious “git” executable in their repository to get command execution on the victim. This “git” executable contains the malicious payload. The malicious git can have the following extensions:
Vulnerable code in the LFS extension does not use the full path of the “git” executable on the system while executing commands. As a result, the git binary is loaded from the current directory which is very dangerous as the executable can be controlled by the attacker. When an attacker-controlled repository is cloned to the victim’s computer, the LFS extension will execute the malicious git executable (which is present in the attacker’s repository) without user intervention. Now the attacker gains command execution (in the security context of the victim) on the remote victim computer.
Privilege escalation and owning of the target system to take complete control of the victim
Data exfiltration and lateral movement to compromise domain controller/ network
Malware deployment to further the attack deeper into the network
Compromising the production code, making proprietary code public by posting it on dark web forums
Leakage of critical product information and planning data
Increased cost due to delays in development pipeline
Attackers install backdoor in ongoing projects leading to cascading issues and subsequent loss of reputation
The vendor has updated the latest version of the binaries with required patches to solve the issue, which can be found here: