CVE-2021-28955 – This vulnerability allows arbitrary code execut... (How to Fix)

Q: What is the severity of CVE-2021-28955?

CVE-2021-28955 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows arbitrary code execution when git-bug executes git.bat from the current directory due to an uncontrolled search path element. Attackers can place malicious git.bat files in directories that users navigate to, leading to command execution. This primarily affects Windows users of git-bug versions before 0.7.2.

📋 TL;DR

This vulnerability allows arbitrary code execution when git-bug executes git.bat from the current directory due to an uncontrolled search path element. Attackers can place malicious git.bat files in directories that users navigate to, leading to command execution. This primarily affects Windows users of git-bug versions before 0.7.2.

💻 Affected Systems

Products:

git-bug

Versions: All versions before 0.7.2

Operating Systems: Windows, Potentially other systems with similar PATH behavior

Default Config Vulnerable: ⚠️ Yes

Notes: Most commonly exploited on Windows due to PATH search order behavior, but could affect other platforms in specific configurations.

📦 What is this software?

Git Bug by Git Bug Project

View all CVEs affecting Git Bug →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with user privileges, potentially leading to lateral movement, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation or arbitrary command execution when users navigate to directories containing malicious git.bat files.

🟢

If Mitigated

Limited impact with proper directory permissions and user awareness, restricting ability to place malicious files in writable directories.

🌐 Internet-Facing: LOW - This is primarily a local execution vulnerability requiring user interaction with malicious directories.

🏢 Internal Only: MEDIUM - Internal users could be tricked into navigating to directories with malicious git.bat files, especially in shared environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to navigate to directory containing malicious git.bat file and execute git-bug. No authentication bypass needed beyond local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.2 and later

Vendor Advisory: https://github.com/MichaelMure/git-bug/security/advisories/GHSA-m898-h4pm-pqfr

Restart Required: No

Instructions:

1. Update git-bug to version 0.7.2 or later using your package manager or from GitHub releases. 2. Verify the update completed successfully. 3. No service restart required.

🔧 Temporary Workarounds

Avoid untrusted directories

all

Do not navigate to or execute git-bug from untrusted directories where malicious git.bat files could be placed.

Restrict directory permissions

all

Set strict permissions on directories to prevent unauthorized users from placing git.bat files.

icacls . /deny Everyone:(OI)(CI)F (Windows)
chmod 755 directory (Linux)

🧯 If You Can't Patch

Restrict user permissions to prevent writing git.bat files in commonly accessed directories
Implement application whitelisting to block execution of git.bat from current directory

🔍 How to Verify

Check if Vulnerable:

Check git-bug version: git-bug version. If version is below 0.7.2, system is vulnerable.

Check Version:

git-bug version

Verify Fix Applied:

After updating, run git-bug version and confirm version is 0.7.2 or higher.

📡 Detection & Monitoring

Log Indicators:

Execution of git.bat from unusual directories
Process creation events for git.bat with unexpected parent processes

Network Indicators:

Unusual outbound connections following git.bat execution

SIEM Query:

Process Creation where (Image contains 'git.bat' OR CommandLine contains 'git.bat') AND ParentImage contains 'git-bug'

📊 Metadata

CVE ID: CVE-2021-28955

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: March 22, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/MichaelMure/git-bug/security/advisories/GHSA-m898-h4pm-pqfr Third Party Advisory
https://vuln.ryotak.me/advisories/18 Third Party Advisory
https://github.com/MichaelMure/git-bug/security/advisories/GHSA-m898-h4pm-pqfr Third Party Advisory
https://vuln.ryotak.me/advisories/18 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28955, you might also want to check these: