CVE-2020-28086
📋 TL;DR
CVE-2020-28086 is a vulnerability in pass (password-store) where an attacker controlling the Git repository can rename password files to trick users into decrypting and using the wrong password. This affects users of pass version 1.7.3 who pull from a compromised Git repository and use decrypted passwords for remote services.
💻 Affected Systems
- pass (password-store)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains access to legitimate user credentials by tricking a user into sending decrypted passwords to attacker-controlled services.
Likely Case
Credential exposure when users unknowingly authenticate to malicious services with legitimate passwords from renamed files.
If Mitigated
No impact if commit signing is properly implemented and verified before password decryption.
🎯 Exploit Status
Exploitation requires multiple conditions: attacker control of Git infrastructure, user performing git pull and password decryption, and attacker control of a service already in password store.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.4 and later
Vendor Advisory: https://lists.zx2c4.com/pipermail/password-store/2014-March/000498.html
Restart Required: No
Instructions:
1. Update pass to version 1.7.4 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install pass. 3. For macOS: brew upgrade pass. 4. For source: git clone https://git.zx2c4.com/password-store && cd password-store && sudo make install.
🔧 Temporary Workarounds
Enable commit signing and verification
linuxConfigure Git to sign commits and verify signatures before decrypting passwords
git config commit.gpgsign true
git config log.showSignature true
git verify-commit HEAD
Disable automatic git pull
allManually verify repository changes before pulling and decrypting passwords
# Disable automatic sync in your workflow
# Manually run: git log --oneline --graph --decorate before git pull
🧯 If You Can't Patch
- Implement mandatory commit signing for all password store repositories
- Use separate password stores for different trust levels and verify repository integrity before use
🔍 How to Verify
Check if Vulnerable:
Check pass version: pass version. If output shows 1.7.3 or earlier, system is vulnerable.Check Version:
pass versionVerify Fix Applied:
Run pass version and confirm version is 1.7.4 or later. Test by verifying commit signatures in password store repository.📡 Detection & Monitoring
Log Indicators:
- Git repository commits with unexpected file renames in password store
- Failed commit signature verifications in password store operations
Network Indicators:
- Unexpected authentication attempts to services from password store entries
- Git pull operations from unusual IP addresses
SIEM Query:
source="git.log" AND ("rename" OR "mv") AND path="*.gpg" OR source="auth.log" AND program="pass" AND "decrypt"