Vulnerability in Git Could Allow Remote Code Execution

ITS Advisory Number: 
2014-115
Date(s) Issued: 
Monday, December 22, 2014
Subject: 
Vulnerability in Git Could Allow Remote Code Execution
Overview: 

A client-side vulnerability has been discovered in Git that could allow for remote code execution. Git is a tracking control system used for version control of software development. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Git for Windows
  • Git for OS X
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A client-side vulnerability has been discovered in Git that could allow for remote code execution. The vulnerability is affected in Git and Git-compatible clients that access Git repositories in either a case-insensitive or case-normalizing file system. File systems that run a case-sensitive file system are not affected.

An attacker could craft a special file that will cause Git to overwrite its own .git/config file when either cloning or checking out a repository. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 

We recommend the following actions be taken:

  • Apply appropriate patches provided by GitHub to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.