Source code management platforms affected by recent flaw

Three of the most popular version control systems (VCSs) used in managing source code projects are vulnerable to a flaw that allows an attacker to run code on a victim's platform, potentially leading to the theft of source code or the hijacking of the underlying machine.

Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an "ssh://" link.

Social engineering not necessary to exploit the flaw

Schneeweisz says that a URL in the form of "ssh://-oProxyCommand=some-command" allows an attacker to execute commands on the computer of the user performing the clone operation.

"While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, this attack vector is exploitable in a more sneaky way when it comes to Git submodules," Schneeweisz explains.

"It is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger," the researcher added.

Vulnerability affects Git, Hg, SVN, and CVS

The issue was initially discovered in Git LFS, and later in GitLab's Git implementation (CVE-2017-12426). Further analysis revealed the issue also affect the parent Git project (CVE-2017-1000117), but also in other totally unrelated version control systems like Apache Subversion (CVE-2017-9800), Mercurial (CVE-2017-1000116) and the ancient CVS.

Recurity Labs privately disclosed the vulnerability to all affected vendors and waited until all released patches. Yesterday, the company went public with its discovery.

Out of all platforms, Schneeweisz says that Subversion is the most vulnerable because the platform doesn't detect HTTP redirects in repository cloning operations.

"SVN was affected in the worst way," the expert said. "SVN follows HTTP 301 redirects [...]. As a result, an innocent looking HTTP URL can be used to trigger a Command Execution with a 301 redirect."