Threat actors could use the exploit to execute arbitrary code. A Windows-specific vulnerability was also discovered in the Git GUI tool, which allows attackers to execute malicious code on vulnerable systems.
The popular version-control system Git recently addressed two critical zero-day vulnerabilities:
CVE-2022-23521 in the .gitattributes parser and CVE-2022-41903 in the commit formatting mechanism. Both flaws involve heap-based buffer overflow issues that could be exploited to execute arbitrary code on vulnerable systems. Additionally, a Windows-specific vulnerability (CVE-2022-41953) was identified in the Git Graphical User Interface (GUI) tool, characterized as an untrusted search path flaw. With this vulnerability, threat actors could launch low-complexity attacks, executing malicious code on vulnerable systems. The successful exploitation of all three flaws could enable attackers to access sensitive data that could be misused in malicious and fraudulent operations.
While the three aforementioned flaws were directly reported to the vendor, security researchers also identified many integer-related problems. These issues could potentially result in denial-of-service (DoS) scenarios, out-of-bound reads, or inadequate handling of edge cases with large input.
While Git released new versions to address CVE-2022-23521 and CVE-2022-41903 on January 11, 2023, no patch has been released for CVE-2022-41953. Current mitigation strategies for that flaw include refraining from cloning untrusted sources’ repositories and not using the Git GUI tool for repository cloning.
To mitigate the CVE-2022-23521 and CVE-2022-41903 vulnerabilities, users should upgrade to the latest version of Git (v2.39.1). Until there is an update to address CVE-2022-41953, users can prevent potential adversaries’ exploitation of vulnerable Git functionality by taking a number of proactive steps.
DIVING DEEPER
The two critical vulnerabilities in Git have already generated significant buzz on the underground, with threat actors sharing information about these flaws and their potential for exploitation.
In addition, Cybersixgill’s CVEs Module compiled features related to one of the aforementioned vulnerabilities, providing insight into its evolution over time.
Cybersixgill collected the following post from a popular cybercrime forum in which a Russian-speaking member with a high reputation score provided information about CVE-2022-23521 and CVE-2022-41903. Specifically, the forum member described the characteristics of each flaw and the causes of undesirable responses from Git products, possibly resulting in remote code execution (RCE) on victims’ systems. The forum member also mentioned the Git versions for which patches were released and temporary workarounds. Other threat actors on the forum could use this valuable information to implement relevant attack strategies, select targets accordingly, and maximize the chance of successful attacks.
The following screenshot displays the CVE-2022-23521 vulnerability scorecard on Cybersixgill’s CVEs Module. This table includes Cybersixgill’s high score (7.38) for the heap-based buffer overflow vulnerability. This high CVE score was based on discussions of the vulnerability on the surface and underground sources that Cybersixgill collects and the potential for damaging consequences posed by the exploitation of the flaw.
The following Cybersixgill Investigative Portal table indicates the initial point on January 18, 2022, at which CVE-2022-23521 went from a severity rating of none to high (6) before reaching a 7.38 severity rating by January 19, 2022. Cybersixgill’s high score can be attributed to the spread of chatter related to the heap-based buffer overflow vulnerability on the surface and underground sources and the significant attack surface that CVE-2022-23521 involves.
The score assigned by Cybersixgill is dynamic and presents the current probability of this vulnerability being exploited by malicious actors. The score is likely to increase further in the future, according to the increased discussion of CVE-2022-23521 on the underground. Cybersixgill Investigative Portal users tracking this vulnerability could see its score change in real-time as CVE-2022-23521 garnered more attention, driving more discussions and triggering a swift escalation in risk assessment.
TAKEAWAYS
Cybercriminals relentlessly pursue zero-day vulnerabilities as initial vectors into victims’ systems, making the recent disclosure of CVE-2022-23521, CVE-2022-41903, and CVE-2022-41953 big news on the underground.
Since these vulnerabilities affect a ubiquitous software development tool, Git, the attack surface could be quite large, creating widespread risk. As such, threat actors will likely try to exploit these flaws to run arbitrary code on vulnerable systems and perform wide-scale attacks, ranging from ransomware and malware dropping to data extortion and cyber espionage.
Therefore, all organizations using Git should update to the latest version of the product (v2.39.1) or implement the aforementioned workarounds (disabling 'git archive' in untrusted repositories and refraining from using the Git GUI software to clone repositories).