If Git is installed as a package on an affected version, attackers can use the package version to exploit this vulnerability. This can be done by creating a malicious Git repository, pushing it to a target, and then pulling it back. The pull command sends the malicious code with the package version to the target system through the NTLM protocol. In most cases, the process of pulling the repository results in a connection to the Git server instead of the desired server. To protect against this vulnerability, install Git as a package on all systems, use a virtual machine, or use a public Git server. A virtual machine or public Git server prevents the package version from being used to exploit this vulnerability.

References

- CVE-2022-2780

You can also use a virtual machine or public Git server to protect against this vulnerability. These measures help prevent the malicious code from being executed on your system, which prevents it from gaining access to your systems.

In addition to being able to protect against the vulnerability with a virtual machine or public Git server, you should also install Git as a package on all systems so that your systems don't become vulnerable. This is because these two methods will prevent attackers from exploiting the vulnerability since they cannot be used in conjunction with each other.

How to Detect If You Are Affected By Git CVE-2022-2780

To detect if you are affected by the Git vulnerability CVE-2022-2780, you can use a Git tool such as gitk. A vulnerable version of Git is 7.8.0.
If this command returns a non-zero exit code, then it is possible that the virtual machine or public Git server has been compromised and could be used to exploit this vulnerability.

Information Gathering of Git

Git is a software version control system designed for speed and efficiency. It is the most widely used distributed revision control system with around 1.4% of all hosts that are actively and publicly tracked in GitHub. The Git package manager is an integral part of the Git application, and can be used to install pre-compiled binaries and to create a repository on a target system. The package manager contains several command line tools, such as git-clone, git-up, git-pull, and git-push. These tools can be used by attackers to establish a connection with a target system through the NTLM protocol. When the target pulls this repository through the NTLM protocol, it executes the malicious code included with the package version of Git installed on the target system.

Timeline

Published on: 10/14/2022 07:15:00 UTC
Last modified on: 10/19/2022 14:36:00 UTC

References