CVE-2024-32002
📋 TL;DR
This CVE describes a vulnerability in Git where specially crafted repositories with submodules can trick Git into writing files into a .git/ directory instead of the intended submodule worktree. This allows attackers to plant malicious hooks that execute during clone operations before users can inspect the code. All Git users cloning repositories from untrusted sources are affected.
💻 Affected Systems
- Git
📦 What is this software?
Git by Git
Git by Git
Git by Git
Git by Git
Git by Git
Git by Git
Git by Git
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution during git clone operations, allowing complete compromise of the system performing the clone.
Likely Case
Attackers could execute arbitrary code on developer machines or CI/CD systems when they clone malicious repositories.
If Mitigated
No impact if patched versions are used or if repositories are only cloned from trusted sources.
🎯 Exploit Status
Exploitation requires creating a specially crafted repository with malicious submodules. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4
Vendor Advisory: https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv
Restart Required: No
Instructions:
1. Update Git to one of the patched versions. 2. For Linux/macOS: Use package manager (apt, yum, brew). 3. For Windows: Download from git-scm.com. 4. Verify update with 'git --version'.
🔧 Temporary Workarounds
Disable symbolic links
allPrevents exploitation by disabling Git's symbolic link support
git config --global core.symlinks false
Disable submodule recursion
allAvoid automatic submodule cloning during repository operations
git clone --no-recurse-submodules <repository>
🧯 If You Can't Patch
- Only clone repositories from trusted, verified sources
- Implement network controls to restrict Git operations to approved repositories
🔍 How to Verify
Check if Vulnerable:
Run 'git --version' and compare against affected versions list. If version is older than patched versions, system is vulnerable.Check Version:
git --versionVerify Fix Applied:
Run 'git --version' and confirm version is 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4 or newer.📡 Detection & Monitoring
Log Indicators:
- Unusual git clone operations from unknown sources
- Git hook execution errors during clone operations
Network Indicators:
- Git clone requests to unknown or suspicious repositories
SIEM Query:
source="git.log" AND (operation="clone" AND (source_ip NOT IN trusted_ips OR repository NOT IN trusted_repos))🔗 References
- http://www.openwall.com/lists/oss-security/2024/05/14/2
- https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt
- https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
- https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d
- https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv
- https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/
- http://www.openwall.com/lists/oss-security/2024/05/14/2
- https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt
- https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
- https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d
- https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv
- https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/
