{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/code-vulnerability/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2019-19604"}],"_cs_exploited":false,"_cs_products":["gix"],"_cs_severities":["high"],"_cs_tags":["code-vulnerability","remote-code-execution","gitoxide"],"_cs_type":"advisory","_cs_vendors":["GitoxideLabs"],"content_html":"\u003cp\u003eA vulnerability exists in gitoxide\u0026rsquo;s \u003ccode\u003egix_submodule::File::update()\u003c/code\u003e function, specifically in versions 0.31.0 to 0.82.0, that allows for arbitrary command execution. The vulnerability arises from an insufficient check on the origin of the \u003ccode\u003eupdate\u003c/code\u003e command specified in a \u003ccode\u003e.gitmodules\u003c/code\u003e file.  An attacker can exploit this by pushing a new commit with a malicious \u003ccode\u003eupdate\u003c/code\u003e command in \u003ccode\u003e.gitmodules\u003c/code\u003e after the victim initializes the submodule.  This bypasses the intended security guard, leading to potential remote command execution in downstream code that relies on \u003ccode\u003eSubmodule::update()\u003c/code\u003e and trusts the safety of \u003ccode\u003eUpdate::Command(_)\u003c/code\u003e. This issue is similar to CVE-2019-19604, highlighting the risk of unchecked commands in submodule configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a repository with a benign \u003ccode\u003e.gitmodules\u003c/code\u003e file, containing no \u003ccode\u003eupdate\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eA victim clones the attacker\u0026rsquo;s repository and runs \u003ccode\u003egit submodule init\u003c/code\u003e, which populates the \u003ccode\u003e.git/config\u003c/code\u003e file with submodule information (URL, active status), but not the \u003ccode\u003eupdate\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eThe attacker pushes a new commit to the repository, adding a malicious \u003ccode\u003eupdate = !\u0026lt;command\u0026gt;\u003c/code\u003e line to the \u003ccode\u003e.gitmodules\u003c/code\u003e file (e.g., \u003ccode\u003eupdate = !touch /tmp/pwned\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim runs \u003ccode\u003egit pull\u003c/code\u003e to update their local repository, incorporating the attacker\u0026rsquo;s modified \u003ccode\u003e.gitmodules\u003c/code\u003e file. The \u003ccode\u003e.git/config\u003c/code\u003e file remains unchanged.\u003c/li\u003e\n\u003cli\u003eA gitoxide-based application calls \u003ccode\u003eSubmodule::update()\u003c/code\u003e to determine the submodule update strategy.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003egix_submodule::File::update\u003c/code\u003e function is called, which incorrectly validates the source of the \u003ccode\u003eupdate\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe function checks that a submodule section with the same name exists in a non-.gitmodules source, but does not verify if the update value comes from that section, bypassing the intended security guard.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled shell command from the \u003ccode\u003e.gitmodules\u003c/code\u003e file is executed, leading to arbitrary command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows an attacker to execute arbitrary commands on a system running gitoxide-based applications that utilize submodules. This could lead to complete system compromise, data exfiltration, or denial of service. Any tool, IDE plugin, or CI integration building submodule-update functionality on top of \u003ccode\u003egix\u003c/code\u003e within the affected version range inherits this vulnerability.  Successful exploitation depends on the vulnerable application\u0026rsquo;s trust in the output of \u003ccode\u003eSubmodule::update()\u003c/code\u003e which determines the update strategy.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003egix\u003c/code\u003e version 0.83.0 or later to patch the vulnerability (\u003ca href=\"https://github.com/advisories/GHSA-f26g-jm89-4g65)\"\u003ehttps://github.com/advisories/GHSA-f26g-jm89-4g65)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement additional validation and sanitization of submodule configurations, especially when handling \u003ccode\u003eUpdate::Command(_)\u003c/code\u003e from \u003ccode\u003eSubmodule::update()\u003c/code\u003e, to prevent unintended command execution.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect potential exploitation attempts by monitoring for the execution of unexpected commands based on submodule configuration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"/briefs/2024-01-09-gitoxide-rce/","summary":"A vulnerability in gitoxide's `gix_submodule::File::update()` allows arbitrary command execution via a crafted `.gitmodules` file by incorrectly validating the source of the `update` command, enabling an attacker to inject malicious commands after a submodule has been initialized.","title":"gitoxide Arbitrary Command Execution via .gitmodules Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-09-gitoxide-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Code-Vulnerability","version":"https://jsonfeed.org/version/1.1"}