CVE-2014-9390
📋 TL;DR
This vulnerability allows malicious Git servers to execute arbitrary commands on client systems when users clone or pull from repositories. It affects multiple Git implementations and related tools on Windows and OS X systems through crafted .git/config files that exploit case-insensitive filesystem handling. Users of affected Git, Mercurial, Xcode, and related tools are vulnerable.
💻 Affected Systems
- Git
- Mercurial
- Apple Xcode
- mine
- libgit2
- Egit
- JGit
📦 What is this software?
Egit by Eclipse
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Jgit by Eclipse
Jgit by Eclipse
Libgit2 by Libgit2
Mercurial by Mercurial
Xcode by Apple
Xcode by Apple
Xcode by Apple
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise when cloning from a malicious repository, potentially leading to complete system takeover, data theft, and lateral movement.
Likely Case
Attackers create malicious repositories that execute arbitrary commands when developers clone them, leading to credential theft, backdoor installation, or data exfiltration.
If Mitigated
With proper network segmentation and developer awareness, impact limited to isolated development environments without access to production systems.
🎯 Exploit Status
Exploitation requires users to clone/pull from malicious repositories. Public proof-of-concept repositories exist demonstrating the attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Git: 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, 2.2.1; Mercurial: 3.2.3; Xcode: 6.2 beta 3; others: versions after 08-12-2014
Vendor Advisory: http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
Restart Required: No
Instructions:
1. Update Git: 'git update-git-for-windows' (Windows) or 'brew upgrade git' (OS X). 2. Update Mercurial: 'pip install --upgrade mercurial'. 3. Update Xcode via App Store. 4. Update other affected tools to versions after 08-12-2014.
🔧 Temporary Workarounds
Use case-sensitive filesystem
osxConfigure Git to use case-sensitive mode on OS X or use Linux development environments
git config core.ignorecase false
Restrict repository sources
allOnly clone from trusted repositories and verify repository integrity before cloning
🧯 If You Can't Patch
- Isolate development environments from production networks
- Implement application whitelisting to prevent unauthorized command execution
🔍 How to Verify
Check if Vulnerable:
Check Git version: 'git --version'. If version matches affected ranges and OS is Windows/OS X, system is vulnerable.Check Version:
git --versionVerify Fix Applied:
Verify Git version is patched: 'git --version' should show 1.8.5.6+, 1.9.5+, 2.0.5+, 2.1.4+, or 2.2.1+.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution during git clone/pull operations
- Creation of unexpected .git/config files with special characters
Network Indicators:
- Git clone operations from unknown/untrusted repositories
- Unusual outbound connections after git operations
SIEM Query:
process:git AND (command:clone OR command:pull) AND (destination_ip NOT IN trusted_repos)🔗 References
- http://article.gmane.org/gmane.linux.kernel/1853266
- http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
- http://mercurial.selenic.com/wiki/WhatsNew
- http://securitytracker.com/id?1031404
- http://support.apple.com/kb/HT204147
- https://github.com/blog/1938-git-client-vulnerability-announced
- https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915
- https://libgit2.org/security/
- https://news.ycombinator.com/item?id=8769667
- http://article.gmane.org/gmane.linux.kernel/1853266
- http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html
- http://mercurial.selenic.com/wiki/WhatsNew
- http://securitytracker.com/id?1031404
- http://support.apple.com/kb/HT204147
- https://github.com/blog/1938-git-client-vulnerability-announced
- https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915
- https://libgit2.org/security/
- https://news.ycombinator.com/item?id=8769667
