CVE-2020-26233
📋 TL;DR
CVE-2020-26233 is a path traversal vulnerability in Git Credential Manager Core (GCM Core) on Windows that allows arbitrary code execution when recursively cloning repositories with submodules. If a malicious git.exe is placed in the top-level repository, GCM Core will execute it instead of the legitimate system git.exe. This affects Windows users of GCM Core before version 2.0.289 who clone untrusted repositories with the --recurse-submodules option.
💻 Affected Systems
- Git Credential Manager Core
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with the privileges of the user running Git, potentially leading to credential theft, data exfiltration, or lateral movement.
Likely Case
Attackers could execute malicious code to steal Git credentials, modify source code, or install backdoors in development environments.
If Mitigated
With proper controls, the impact is limited to the user's local environment without affecting other systems or network resources.
🎯 Exploit Status
Exploitation requires the victim to clone a malicious repository with --recurse-submodules. The attack vector is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.289
Vendor Advisory: https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76
Restart Required: No
Instructions:
1. Update Git Credential Manager Core to version 2.0.289 or later. 2. For Git for Windows users, update to version 2.29.2(3) or later which includes the fixed GCM Core. 3. Verify the update by checking the GCM Core version.
🔧 Temporary Workarounds
Avoid recursive cloning of untrusted repositories
windowsDo not use the --recurse-submodules option when cloning repositories from untrusted sources.
git clone <repository_url>
# Do NOT add --recurse-submodules flag
🧯 If You Can't Patch
- Disable GCM Core and use alternative credential storage methods.
- Implement strict source control policies to only clone repositories from trusted sources.
🔍 How to Verify
Check if Vulnerable:
Check GCM Core version: run 'git credential-manager-core --version' or 'git config --global credential.helper' to see if GCM Core is configured.Check Version:
git credential-manager-core --versionVerify Fix Applied:
Verify GCM Core version is 2.0.289 or higher: 'git credential-manager-core --version' should show version >= 2.0.289.📡 Detection & Monitoring
Log Indicators:
- Unusual git.exe execution from repository directories rather than system paths
- Failed authentication attempts or credential access from unexpected locations
Network Indicators:
- Unexpected outbound connections from git processes to suspicious IPs
SIEM Query:
Process creation where parent process is git.exe and command line contains --recurse-submodules, OR file creation events for git.exe in user-writable directories🔗 References
- https://blog.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/
- https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt
- https://github.com/microsoft/Git-Credential-Manager-Core/commit/61c0388e064babb3b4e60d3ec269e8a07ab3bc76
- https://github.com/microsoft/Git-Credential-Manager-Core/releases/tag/v2.0.289-beta
- https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76
- https://blog.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/
- https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt
- https://github.com/microsoft/Git-Credential-Manager-Core/commit/61c0388e064babb3b4e60d3ec269e8a07ab3bc76
- https://github.com/microsoft/Git-Credential-Manager-Core/releases/tag/v2.0.289-beta
- https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76
