Cybersecurity researchers from X41 and GitLab have discovered three critical vulnerabilities in the Git distributed version control system.
The vulnerabilities could allow threat actors to run arbitrary code on target endpoints by exploiting heap-based buffer overflow vulnerabilities, the researchers say. Out of the three vulnerabilities, two already have patches, while the third has a workaround.
The two patched vulnerabilities tracked are CVE-2022-41903 and CVE-2022-23521. Developers (opens in a new tab) If you want to protect your device, you should update Git to version 2.30.7. The third one tracked is CVE-2022-41953, with a workaround not to use Git GUI software to clone the repositories. According to BleepingComputer, another way to stay safe is to avoid copying from untrusted sources altogether.
Patches and workarounds
“The most severe issue discovered allows attackers to trigger heap-based memory corruption during copy or pull operations, which can lead to code execution. Another serious issue that allows execution execute code in an archive operation, often performed by rogue Git,” researchers speak (opens in a new tab) in their explanation of the incident.
“In addition, a large number of integer-related problems have been identified that can lead to denial of service scenarios, out-of-bounds reads, or simply handled corner cases. poor on large inputs.”
Since then, Git has released a few additional versions, so just to be on the safe side, make sure you’re running the latest version of Git – 2.39.1.
BleepingComputer note that those who cannot apply the patch immediately should disable “git archive” in untrusted repositories or avoid running the command on untrusted repositories. Furthermore, if the “git archive” is exposed through the “git daemon”, users should disable it when working with untrusted repositories. This can be done via the command “git config –global daemon.upladArch false”.
“We strongly recommend that all installations are running the version affected by the issue [..] be upgraded to the latest version as soon as possible,” GitLab warning (opens in a new tab).
Via: BleepingComputer (opens in a new tab)
