Attacker Value
High
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-27955 — Git Large File Storage / Git LFS (git-lfs) - Remote Code Execution (RCE)

Disclosure Date: November 05, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Git LFS 2.12.0 allows Remote Code Execution.

Add Assessment

1
Ratings
Technical Analysis

Git Large File Storage or Git LFS is an open source extention used to store large files outside of the git repository. Git LFS stores the large file on a remote server while storing a pointer to the file in the repo.

Git LFS (git-lfs) versions <= 2.12 has a vulnerability that allows remote attackers to execute arbitrary code on the victim’s Windows system if the victim clones the attacker’s repository which makes use of git-lfs.

Git LFS does not specify the full path to the git binary when spawning a new git process as via the following ExecCommand() function:

subprocess/subprocess_windows.go:

    func ExecCommand(name string, arg ...string) *Cmd {
        cmd := exec.Command(name, arg...)
        cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
        cmd.Env = fetchEnvironment()
        return newCmd(cmd)
    }

If the attacker places a malicious executable file in the repository (which must be named either, git.bat, git.exe or git.cmd) when the repository gets cloned the malicous file gets executed instead of the original git binary located in a trusted path.

This can lead to priviliged access and take over of the windows host that gets tricked into cloning the malicious repo. Definitely worth patching although due to the level of user interaction required (they have to preform the clone) I would say the exploitability rating is quite low dispite having a CVSS score of 9.8

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • git large file storage project

Products

  • git large file storage 2.12.0
Technical Analysis