CVE-2022-24765 is a medium-severity vulnerability found in Git for Windows, which is a fork of Git that includes Windows-specific patches. This vulnerability affects users operating in multi-user environments where untrusted parties have write access to the same hard disk. The key issue arises when these untrusted users create a folder named `C:\.git`. Git operations executed outside of a repository will search for Git directories and respect configurations found in this folder, leading to potential security breaches.
The vulnerability impacts various user scenarios. For instance, Git Bash users who have set the `GIT_PS1_SHOWDIRTYSTATE` configuration are at risk, as are users who have installed Posh-Git simply by launching a PowerShell. Additionally, developers using Integrated Development Environments (IDEs) like Visual Studio could be affected, as creating a new project may automatically read from the configuration specified in `C:\.git\config`.
The vulnerability has been addressed in Git for Windows version 2.35.2. Users who are unable to upgrade are advised to create a `.git` folder on all drives where Git commands are executed and remove read/write access to these folders. Alternatively, adjusting the `GIT_CEILING_DIRECTORIES` environment variable to include the parent directory of the user profile (e.g., `C:\Users`) can help mitigate the issue.
Given the nature of this vulnerability, organizations should prioritize patching immediately. The risk to organizations includes unauthorized access to sensitive configuration settings, which could lead to further exploitation.
The CVSS score for this vulnerability is 6.0 (Medium), indicating that it has a local attack vector with high attack complexity and requires low privileges. Organizations must assess their exposure and implement the necessary fixes without delay.
Vulnerability Details
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed Posh-Git are vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2.
The CVSS score for this vulnerability is 6.0 out of 10, categorized as Medium severity. This score reflects the potential impact on confidentiality, integrity, and availability, with a high confidentiality and integrity impact but none on availability. The attack vector is local, requiring the attacker to have access to the affected machine.
Technical Analysis
The root cause of this vulnerability lies in the improper handling of Git configurations when searching for Git directories. This allows malicious users to manipulate the configuration of Git operations that run outside a repository context. The attack complexity is classified as high, necessitating some technical knowledge to exploit the vulnerability effectively.
The attack vector is local, meaning that an attacker must have physical or legitimate access to the machine. Privileges required are low, indicating that a standard user can execute the attack without needing elevated permission. User interaction is required, as the attacker must create the `C:\.git` folder.
In terms of impact, confidentiality and integrity are both significantly affected, as unauthorized configurations can be read and executed without the original user's consent. Availability is not impacted, as the system remains operational despite the vulnerability.
Risk & Impact Analysis
Organizations that utilize Git for Windows in multi-user environments are at a heightened risk with this vulnerability. The potential for unauthorized access to sensitive Git configurations poses a significant threat, especially in collaborative environments where multiple users have access to the same systems.
The blast radius is extensive, as any user with access to the shared machine could manipulate the Git configurations, potentially leading to unauthorized code executions or alterations. The urgency for remediation is high given the CVSS score of 6.0, and organizations should address this vulnerability in their priority patch cycle.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions of Git for Windows prior to 2.35.2 are affected by this vulnerability. Specific components that are vulnerable include Git itself, Fedora, Xcode, and Debian Linux versions 10.0 and later.
Mitigation & Remediation
To mitigate this vulnerability, organizations should upgrade to Git for Windows version 2.35.2 or later. Users unable to upgrade can create a `.git` folder on all drives where Git commands are executed and remove read/write access from those folders as a workaround.
Alternatively, defining or extending the `GIT_CEILING_DIRECTORIES` environment variable to cover the parent directory of the user profile (e.g., `C:\Users`) can help manage access and prevent unauthorized configurations.
For further assistance, organizations may consider engaging in penetration testing to validate the effectiveness of the remediation efforts.
Detection Guidance
To detect potential exploitation of this vulnerability, organizations should monitor for any creation or modification of the `C:\.git` directory. Additionally, logs should be reviewed for any unusual Git operations that reference this directory.
AppSecure Threat Intelligence Insight
The long-term significance of CVE-2022-24765 lies in its demonstration of how vulnerabilities in widely-used software can arise from improper access controls in collaborative environments. This incident serves as a reminder for security teams to continuously evaluate and enforce strict access policies.
Companies should consider adopting proactive security measures, such as regular security audits and vulnerability management programs that enable them to identify and address security weaknesses promptly.
Additionally, implementing a penetration testing methodology can help organizations uncover and mitigate similar vulnerabilities in their environments.
Overall, the lessons learned from this vulnerability emphasize the importance of maintaining a security posture that is both vigilant and proactive, ensuring that potential attack vectors are identified and addressed before they can be exploited.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)