Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file ontents on a remote server like GitHub.com or GitHub Enterprise."
Git LFS (git-lfs) version 2.12 and lower had a vulnerability that allows remote attackers to execute arbitrary code on the victim's Windows system if the victim simply clones the attacker's repository using common git version control tools which make use of git-lfs subsystem. Currently bug is tracked as CVE-2020-27955, where attackers may be able to plant a backdoor in the root directory of a malicious repository by simply adding an executable file named as follows:-
- git.bat, - git.exe, - git.cmd,- git.vbs
or any other executable extension available on the target Windows system.
Researcher mentioned that applications using Git with unpatched Git LFS (git-lfs) <= 2.12 on Windows systems like
- Git for Windows - GitHub CLI (gh), - GitHub Desktop, - SmartGit, - SourceTree, Visual Studio Code, - GitKraken have been confirmed to be exploitable in their default configuration / installation. Furthermore, he also mentioned some of the other popular clients / development IDEs are deemed to be affected as well as most clients IDEs install git with git-lfs extension by default. Clients are-
Eclipse, fork, tig, GitExtensions, Magit, TortoiseGit, gmaster, GitAhead, Sublime Merge, Visual Studio, GitAtomic, Tower, git-cola.
Impact of CVE-2020-27955
The vulnerability is categorised as critical severity because it lead to a full compromise of the victim's system as attackers can execute arbitrary commands remotely without the knowledge of the victim. So it is highly recommended that users and product vendors should update to the latest git-lfs version as soon as possible as the vulnerability is trivial to exploit.