You can now find Cyber Kendra on Google News!

Critical RCE Vulnerability on Git- Large File System Extension

RCE on Git-lfs, Git RCE vulnerability

Security researcher 'Dawid Golunski' discovered a critical remote code execution bug on Git LFS, - an open-source Git extension for versioning large files. 

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git while storing the file contents on a remote server like GitHub.com or GitHub Enterprise."

Git LFS (git-lfs) version 2.12 and lower had a vulnerability that allows remote attackers to execute arbitrary code on the victim's Windows system if the victim simply clones the attacker's repository using common git version control tools which make use of git-lfs subsystem. Currently, the bug is tracked as CVE-2020-27955, where attackers may be able to plant a backdoor in the root directory of a malicious repository by simply adding an executable file named as follows:-

- git.bat, - git.exe, - git.cmd,- git.vbs
or any other executable extension available on the target Windows system.

CVE-2020-27955 Victims

The researcher mentioned that applications using Git with unpatched Git LFS (git-lfs) <= 2.12 on Windows systems  - Git for Windows - GitHub CLI (gh), - GitHub Desktop, - SmartGit, - SourceTree, Visual Studio Code, - GitKraken have been confirmed to be exploitable in their default configuration/installation. Furthermore, he also mentioned some of the other popular clients/development IDEs are deemed to be affected as well as most clients IDEs install git with git-lfs extension by default. Clients are- 

Eclipse, fork, tig, GitExtensions, Magit, TortoiseGit, gmaster, GitAhead, Sublime Merge, Visual Studio, GitAtomic, Tower, git-cola.

Impact of CVE-2020-27955 

 The vulnerability is categorized as critical severity because it leads to a full compromise of the victim's system as attackers can execute arbitrary commands remotely without the knowledge of the victim.  So it is highly recommended that users and product vendors should update to the latest git-lfs version as soon as possible as the vulnerability is trivial to exploit.

CVE-2020-27955 POC

The researcher published the POC code after reporting the issue to git-lfs vendor who issued a patched release on the official website. 

Post a Comment