CVE-2024-32465
📋 TL;DR
This CVE describes a vulnerability in Git that allows attackers to bypass security protections when cloning repositories from untrusted sources. Specifically, it affects scenarios where users work with Git repositories obtained via archives (like .zip files) from untrusted sources, potentially allowing malicious hooks to execute. Users who extract and use Git repositories from untrusted archives are affected.
💻 Affected Systems
- Git
📦 What is this software?
Fedora by Fedoraproject
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution in the context of the user running Git commands, potentially leading to full system compromise.
Likely Case
Execution of malicious Git hooks leading to data theft, privilege escalation, or lateral movement within the environment.
If Mitigated
No impact if users follow Git's security recommendations and avoid working with untrusted repositories.
🎯 Exploit Status
Exploitation requires the victim to extract and use a malicious Git repository archive from an untrusted source.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4
Vendor Advisory: https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4
Restart Required: No
Instructions:
1. Check current Git version with 'git --version'. 2. Update Git using your system's package manager (apt, yum, brew, etc.) to one of the patched versions. 3. Verify update with 'git --version'.
🔧 Temporary Workarounds
Avoid untrusted archives
allDo not extract and use Git repositories from untrusted archive files (.zip, .tar, etc.)
Use safe clone method
allWhen cloning from untrusted sources, use 'git clone --no-local' to create a clean copy
git clone --no-local <repository>
🧯 If You Can't Patch
- Implement strict policies prohibiting extraction and use of Git repositories from untrusted archives
- Use Git in sandboxed environments or containers when working with potentially untrusted repositories
🔍 How to Verify
Check if Vulnerable:
Run 'git --version' and check if version is before 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4Check Version:
git --versionVerify Fix Applied:
Run 'git --version' and confirm version is 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4 or later📡 Detection & Monitoring
Log Indicators:
- Unusual Git hook executions
- Git operations on repositories from archive files
Network Indicators:
- Downloads of Git repository archives from untrusted sources
SIEM Query:
Process execution where command contains 'git' and parent process involves archive extraction tools (unzip, tar, etc.)🔗 References
- http://www.openwall.com/lists/oss-security/2024/05/14/2
- https://git-scm.com/docs/git#_security
- https://git-scm.com/docs/git-clone
- https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7
- https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4
- https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/
- http://www.openwall.com/lists/oss-security/2024/05/14/2
- https://git-scm.com/docs/git#_security
- https://git-scm.com/docs/git-clone
- https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7
- https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4
- https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/
