The Git Project has highlighted the existence of a severe vulnerability which can lead to the execution of arbitrary code; the vulnerability responsible for this critical flaw is CVE-2018-17456
This new hack is presented as an option-injection attack type that can be used to compromise software’s submodules.
The vector of attack is through malicious repositories which are cloned and use a .gitmodules file with a URL field beginning with a ‘-‘ character.
CVE-2018-17456 is similar to CVE-2017-1000117, another option-injection attack which is related to the handling of “ssh” URLs in Git software.
The command-line git clone tool does not correctly secure submodule URLs, for example using git clone –recurse-submodules or git submodule update, the URL of a submodule could be interpreted as a command-line argument to git clone.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Good news is the latest version of the software, Git v2.19.1 has been released with a patch designed to resolve the security flaw.
Git Project has also released backports for versions v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1 to eradicate the severe bug in the older software.
All GitHub Desktop users who run software versions 1.4.1 and older are also impacted and need to update immediately to either 1.4.2 or 1.4.3-beta0.
Atom is also impacted due to older; to fix this too you must update it to 1.31.2 and 1.32.0-beta3.
GitHub.com stated that will detect malicious repositories and will reject pushes or API requests attempting to create them.
Once again we advise all users to update their builds as quickly as possible, as well as avoid interacting with submodules from repositories they do not trust.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.