CVE-2022-20001
📋 TL;DR
This vulnerability in fish shell versions 3.1.0-3.3.1 allows arbitrary code execution when users navigate to directories containing malicious git configuration. Attackers can exploit this by tricking users into accessing directories they control, such as on shared file systems or extracted archives. Users with default fish configurations are affected.
💻 Affected Systems
- fish shell
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fish by Fishshell
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user executing fish shell, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or execution of malicious scripts in user context, potentially stealing credentials or sensitive files.
If Mitigated
No impact if fish_git_prompt is disabled or fish is patched to 3.4.0+.
🎯 Exploit Status
Exploitation requires user interaction (changing to malicious directory). Proof of concept exists in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.0
Vendor Advisory: https://github.com/fish-shell/fish-shell/security/advisories/GHSA-pj5f-6vxj-f5mq
Restart Required: Yes
Instructions:
1. Update fish using package manager: 'sudo apt update && sudo apt upgrade fish' (Debian/Ubuntu) or 'brew upgrade fish' (macOS). 2. Restart terminal or source fish config: 'source ~/.config/fish/config.fish'. 3. Verify version with 'fish --version'.
🔧 Temporary Workarounds
Disable fish_git_prompt
allRemove git prompt function to prevent automatic git command execution
functions -e fish_git_prompt
Disable automatic git info in prompt
allModify fish config to remove git prompt from display
Edit ~/.config/fish/config.fish and remove or comment out 'fish_git_prompt' from prompt definition
🧯 If You Can't Patch
- Disable fish_git_prompt function using 'functions -e fish_git_prompt'
- Avoid navigating to untrusted directories or shared file systems with fish shell
🔍 How to Verify
Check if Vulnerable:
Run 'fish --version' and check if version is between 3.1.0 and 3.3.1 inclusive.Check Version:
fish --versionVerify Fix Applied:
Run 'fish --version' and confirm version is 3.4.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual git commands executed from fish shell prompts
- Commands running from unexpected directories
Network Indicators:
- None - local exploitation only
SIEM Query:
Process execution where parent process is fish and command contains unexpected git operations or shell commands🔗 References
- https://github.com/fish-shell/fish-shell/pull/8589
- https://github.com/fish-shell/fish-shell/releases/tag/3.4.0
- https://github.com/fish-shell/fish-shell/security/advisories/GHSA-pj5f-6vxj-f5mq
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPZ7JV22DSZB5LNUCUEJ2HO3PKM2TVVK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRNMYS2LKB6TKOOBQQRSRQICDMWLZ4QL/
- https://security.gentoo.org/glsa/202309-10
- https://www.debian.org/security/2022/dsa-5234
- https://github.com/fish-shell/fish-shell/pull/8589
- https://github.com/fish-shell/fish-shell/releases/tag/3.4.0
- https://github.com/fish-shell/fish-shell/security/advisories/GHSA-pj5f-6vxj-f5mq
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPZ7JV22DSZB5LNUCUEJ2HO3PKM2TVVK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRNMYS2LKB6TKOOBQQRSRQICDMWLZ4QL/
- https://security.gentoo.org/glsa/202309-10
- https://www.debian.org/security/2022/dsa-5234
