CVE-2024-6257
📋 TL;DR
CVE-2024-6257 is a vulnerability in HashiCorp's go-getter library where an attacker can manipulate Git configuration files to execute arbitrary code during Git update operations. This affects any application using the vulnerable go-getter library for Git operations. The vulnerability allows remote code execution with the privileges of the process using the library.
💻 Affected Systems
- HashiCorp go-getter library
📦 What is this software?
Go Getter by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Unauthorized code execution leading to data exfiltration, backdoor installation, or service disruption.
If Mitigated
Limited impact through network segmentation and least privilege principles, potentially only affecting isolated containers or sandboxed environments.
🎯 Exploit Status
Exploitation requires the ability to modify Git configuration files that the go-getter process will read, which could be achieved through various means including compromised repositories or supply chain attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.7.4
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
Restart Required: Yes
Instructions:
1. Update go-getter dependency to v1.7.4 or later. 2. Update any HashiCorp products that embed go-getter to patched versions. 3. Restart affected services and applications.
🔧 Temporary Workarounds
Disable Git functionality
allIf Git functionality is not required, disable or remove go-getter's Git support.
Modify application configuration to use alternative protocols or disable Git sources
Restrict Git sources
allOnly allow Git operations from trusted, internal repositories.
Configure application to whitelist specific Git repositories
🧯 If You Can't Patch
- Implement network controls to restrict outbound Git traffic to trusted repositories only
- Run applications using go-getter with minimal privileges and in isolated containers
🔍 How to Verify
Check if Vulnerable:
Check go.mod or vendor dependencies for go-getter version <1.7.4. For HashiCorp products, check their version against security advisories.Check Version:
go list -m github.com/hashicorp/go-getterVerify Fix Applied:
Verify go-getter version is >=1.7.4 in dependencies. Test Git operations from known safe repositories.📡 Detection & Monitoring
Log Indicators:
- Unexpected Git configuration changes
- Unusual Git operations from applications
- Process execution from Git operations
Network Indicators:
- Git protocol traffic to unexpected destinations
- Unusual outbound connections following Git operations
SIEM Query:
Process creation where parent process contains 'go-getter' AND command line contains 'git'