How The Version Control System is found to be Vulnerable
Now comes a case where we see that version control systems are getting affected by malware. It is seen how source code is no longer safe and are said to be vulnerable to attacks and flaws. Three of the most popular version control systems are said to be vulnerable to malware attacks. Attackers run a code on the victim’s platform and literally hijacking the machine.
‘The flaw relies on tricking users into cloning (copying) a source code project via an “ssh://” link.’ Said Joern Schneeweisz, a security researcher for Recurity Labs.
Social engineering not necessary to exploit the flaw Schneeweisz says that a URL in the form of “ssh://-oProxyCommand=some-command” allows an attacker to execute commands on the computer of the user performing the clone operation.
“While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, this attack vector is exploitable in a sneakier way when it comes to Git submodules,” Schneeweisz explains.
“It is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger,” the researcher added.
The Vulnerability affects Git, Hg, SVN, and CVS
The issue came to light when it was found that Git LFS was infected followed by Git implementation. This discovery opened the Pandora box and it was found how the parent Git project was also affected, but then other Apache Subversion, which was totally a different version control was also reported to be have affected by malware.
Schneeweisz says ‘Recurity Labs privately disclosed the vulnerability to all affected vendors and waited until all released patches. Yesterday, the company went public with its discovery.’ He further said that out of all platforms, Subversion is the most vulnerable because the platform doesn’t detect HTTP redirects in repository cloning operations.
“SVN was affected in the worst way,” the expert said. “SVN follows HTTP 301 redirects […]. As a result, an innocent looking HTTP URL can be used to trigger a Command Execution with a 301 redirect.”