Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002)
New versions of Git are out, with fixes for five vulnerabilities, the most critical (CVE-2024-32002) of which can be used by attackers to remotely execute code during a “clone” operation.
About Git
Git is a widely-popular distributed version control system for collaborative software development. It can be installed on machines running Windows, macOS, Linux, and various *BSD distributions.
Web-based software development platforms GitHub and GitLab are based on Git. Visual Studio, Microsoft’s integrated development environment, has Git tooling (MinGit) built directly into it, and other IDEs rely on it.
CVE-2024-32002 and other fixed vulnerabilities
CVE-2024-32002 is a critical vulnerability that allows specially crafted Git repositories with submodules to trick Git into writing files into a .git/ directory instead of the submodule’s worktree.
“This is possible by a combination of confusing Git with a directory and a symbolic link that differs only in case so that Git can write either one, or the other, but not both. This confusion can be used to manipulate Git into writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed,” Git for Windows maintainer Johannes Schindelin explained.
CVE-2024-32004 also allows remote code execution, but only on multi-user machines: “An attacker can prepare a local repository so that it looks like a partial clone that is missing an object, so that, when this repository is cloned, Git will execute arbitrary code during the operation with full permissions of the user performing the clone.”
CVE-2024-32465 may allow attackers to bypass protections for cloning untrusted repositories, CVE-2024-32020 may allow untrusted users to modify objects in the cloned (local) repository, and CVE-2024-32021 may be used to manipulate Git into writing files outside the Git worktree and outside the .git/ directory.
Fixes and security changes
The vulnerabilities have been patched in Git v2.45.1, v2.44.1, v2.43.4, v2.42.2, v2.41.1, v2.40.2, and v2.39.4.
He also shared that more changes have been made to Git to make the cloning process more secure: improvements to protect against remote code execution, better handling of symbolic links and directories, a more secure way of running hooks (scripts), and more.
“Upgrading to the latest Git version is essential to protect against these vulnerabilities. If you cannot update immediately, please be careful from where you clone repositories,” Schindelin advised.
Fixed versions of Git have been embedded in the latest GitHub Desktop releases (for Windows and macOS). Fixes (1, 2) for CVE-2024-32002 and CVE-2024-32004 have been implemented in Visual Studio.
UPDATE (May 17, 2024, 05:25 a.m. ET):
The fact that Git is so widely used and repository cloning is a very common operation makes CVE-2024-32004 a significant risk, but updating Git or disabling symbolic link support in it eliminates the possibility of a successful attack.
Perform one of these actions as soon as possible, because creating an exploit and leveraging it is professedly easy.
UPDATE (May 20, 2024, 08:40 a.m. ET):
A PoC for and a technical deep-dive into CVE-2024-32002 have been made public.