Tainted Git Repository is Vulnerable by Letting Arbitrary Code Execution
Git recently unveiled a security flaw in its repository which if exploited can let attackers execute arbitrary code within harmful or tainted repositories, according to Microsoft. Security experts have addressed the flaw namely CVE-2018-11235 and rectified it within Git 2.17.1 as well as inside Git pertaining to Windows operating system version 2.17.1. Meanwhile, VSTS (Visual Studio Team Services) lately prevented pushing tainted repositories towards VSTS users for making sure the Visual Studio isn't turned into a medium for transmission of tainted repositories to customers who're yet to install the security patch.
The security flaw has been explained synonymous to certain flaw of sub-module configuration which emerges if a cloning of Git sub-module configuration takes place. Developers get post-checkout hooks from Git for their execution with respect to the project. Actually, it's possible to define the hooks inside the sub-modules, while the latter can be tainted so instructed for running code. Threatpost.com posted this on the Web dated May 30, 2018.
When uninitiated, the hooks take the form of small programs which can be run at particular instances while utilizing Git. With them the user can actually make certain tasks automatic while include them inside their flow of work.
Another security flaw namely CVE-2018-11233 relates to the manner in which Git treats path names inside Windows or other NTFS-based computers. By abusing this flaw, an attacker can interpret memory's contents.
The latter flaw impacts end-user on all platforms, however, is now corrected vis-à-vis Git 2.13.7. Creators of 'Git' are understood to have forward-ported the repository onto versions 2.16.4, 2.15.2 and 2.14.4.
The discoverer of this second flaw is Etienne Stalmans. The researcher declared it through a bug bounty scheme of GitHub. More instructions for examination whether anybody has attack prone Git clients come from Thompson via his blog. It is recommended that end-users make their server clients and/or Git desktop up to date.
Microsoft along with recommending end-users towards performing the update has pledged for releasing one hotfix to secure Visual Studio 2017. Moreover, Microsoft informs, Git no longer is working with repos which don't abide by the latest specified configuration.
» SPAMfighter News - 07-06-2018
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!