{"id":21030,"date":"2023-01-19T09:10:25","date_gmt":"2023-01-19T17:10:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/01\/19\/news-14763\/"},"modified":"2023-01-19T09:10:25","modified_gmt":"2023-01-19T17:10:25","slug":"news-14763","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/01\/19\/news-14763\/","title":{"rendered":"Update now! Two critical flaws in Git&#8217;s code found, patched"},"content":{"rendered":"<p>In a sponsored security source code audit, security experts from X41 D-SEC GmbH (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found two notable critical flaws in Git&#8217;s code. A vulnerability on Git could generally compromise source code repositories and developer systems, but &#8220;wormable&#8221; ones could result in large-scale breaches, according to the high-level&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/x41-dsec.de\/security\/research\/news\/2023\/01\/17\/git-security-audit-ostif\/\" target=\"_blank\">audit report<\/a>. Microsoft&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/msrc-blog.microsoft.com\/2020\/07\/14\/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server\/\" target=\"_blank\">defines<\/a>&nbsp;a flaw as &#8220;wormable&#8221; if it doesn&rsquo;t rely on human interaction, instead it allows malware to spread from one vulnerable system to another.<\/p>\n<p>The two critical flaws, tracked as&nbsp;<strong><a rel=\"noreferrer noopener\" href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-23521\" target=\"_blank\">CVE-2022-23521<\/a><\/strong>&nbsp;and&nbsp;<strong><a rel=\"noreferrer noopener\" href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-41903\" target=\"_blank\">CVE-2022-41903<\/a><\/strong>, could allow threat actors to potentially run malware&nbsp;after taking advantage of overflow weaknesses in a system&#8217;s memory.<\/p>\n<p>A total of eight vulnerabilities were found in Git&#8217;s code. On top of the critical ones we mentioned, the experts also found one rated medium, one high, and four rated low severity. 27 other issues found don&rsquo;t have a direct security impact.<\/p>\n<p>A copy of the full audit report from X41 and GitLab can be found&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.x41-dsec.de\/static\/reports\/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf\" target=\"_blank\">here<\/a>.<\/p>\n<h2>Recommendation and workaround<\/h2>\n<p>The easiest way to protect against exploits of these critical vulnerabilities is to upgrade to the latest Git release, which is version&nbsp;<strong><a rel=\"noreferrer noopener\" href=\"https:\/\/git-scm.com\/downloads\" target=\"_blank\">2.39.1<\/a><\/strong>, as well as&nbsp;<a href=\"https:\/\/about.gitlab.com\/releases\/2023\/01\/17\/critical-security-release-gitlab-15-7-5-released\/\" target=\"_blank\" rel=\"noreferrer noopener\">update your GitLab instance<\/a>&nbsp;to one of these versions:&nbsp;<strong>15.7.5<\/strong>,&nbsp;<strong>15.6.6<\/strong>, and&nbsp;<strong>15.5.9<\/strong>.&nbsp;<\/p>\n<ul>\n<li><a href=\"https:\/\/about.gitlab.com\/update\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to update GitLab<\/a><\/li>\n<li><a href=\"https:\/\/docs.gitlab.com\/runner\/install\/linux-repository.html#updating-the-runner\" target=\"_blank\" rel=\"noreferrer noopener\">How to update GitLab Runner<\/a><\/li>\n<\/ul>\n<p>Version 2.39.1 of Git for Windows also addresses the flaw tracked as&nbsp;<a href=\"https:\/\/github.com\/git-for-windows\/git\/security\/advisories\/GHSA-v4px-mx59-w99c\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2022-41953<\/a>.<\/p>\n<p>The researchers recommend those using Git continue to use safe wrappers and develop strategies to mitigate common memory safety issues. They also discouraged storing length values to signed integer typed variables.<\/p>\n<blockquote>\n<p>&#8220;Introducing generic hardenings such as sanity checks on data input length, and the use of safe wrappers can improve the security of the software in the short term. The usage of signed integer typed variables to store length values should be banned. Additionally, the software could benefit from compiler level checks regarding the use of integer and long variable types for length and size values. Enabling the related compiler warnings during the build process can help identify the issues early in the development process.&#8221;<\/p>\n<\/blockquote>\n<p>Per&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/git-patches-two-critical-remote-code-execution-security-flaws\/\" target=\"_blank\">BleepingComputer<\/a>, users who cannot upgrade to address CVE-2022-41903 may want to apply this workaround instead:<\/p>\n<ul>\n<li>Disable &#8216;git archive&#8217; in untrusted repositories or avoid running the command on untrusted repos<\/li>\n<li>If &#8216;git archive&#8217; is exposed via &#8216;git daemon,&#8217; disable it when working with untrusted repositories by running the &#8216;git config &#8211;global daemon.uploadArch false&#8217; command<\/li>\n<\/ul>\n<h2>CVE-2022-23521: Truncated Allocation Leading to Out-of-bounds (OOB) Write<\/h2>\n<p>An&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/cwe.mitre.org\/data\/definitions\/787.html\" target=\"_blank\">OOB Write<\/a>&nbsp;occurs when software writes data at the beginning or end of a buffer, resulting to data corruption, a system crash, or code execution. OOB Write is a flaw classed as a heap-based buffer overflow.<\/p>\n<p>This flaw triggers when Git parses a crafted&nbsp;<em>.gitattributes<\/em>&nbsp;file that may be part of a commit history, causing multiple integer overflows (also known as wraparounds). This means the program is trying to store a huge value or number more than an integer type can store.<\/p>\n<p>If this happens, OOB reads and writes can occur, which could then lead to remote code execution.<\/p>\n<h2>CVE-2022-41903: OOB Write in Log Formatting<\/h2>\n<p>This flaw is found in Git&rsquo;s commit-formatting mechanism, which displays arbitrary information on commits. When Git processes a&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/git-scm.com\/docs\/pretty-formats#Documentation\/pretty-formats.txt-emltltNgttruncltruncmtruncem\" target=\"_blank\">padding operator<\/a>, an integer overflow can occur. OOB reads and writes can occur out of the overflow, leading to remote code execution if exploited.<\/p>\n<p>A detailed, technical dive into these vulnerabilities are in the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.x41-dsec.de\/static\/reports\/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf\" target=\"_blank\">full audit report<\/a>.<\/p>\n<hr \/>\n<p><strong>We don&#8217;t just report on threats&mdash;we remove them<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by <a href=\"https:\/\/www.malwarebytes.com\/for-home\">downloading&nbsp;Malwarebytes today<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/01\/update-now-two-critical-flaws-in-gits-code-found-patched\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>CVE-2022-23521 and CVE-2022-41903 are critical flaws present in Git&#8217;s code. Thankfully, they\u2019ve been addressed in its latest version.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/01\/update-now-two-critical-flaws-in-gits-code-found-patched\" title=\"Update now! Two critical flaws in Git's code found, patched\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/01\/update-now-two-critical-flaws-in-gits-code-found-patched\">Update now! Two critical flaws in Git&#8217;s code found, patched<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[],"class_list":["post-21030","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21030","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21030"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21030\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21030"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}