<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Vulnerability Report

CVE-2020-27955 Git LFS RCE

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

Git LFS (Large File Storage) is a Git extension developed by Atlassian, GitHub, and a few other open source contributors, that reduces the impact of large files in your repository by downloading the relevant versions of them lazily. Specifically, large files are downloaded during the checkout process rather than during cloning or fetching. Git LFS 2.12.0 allows Remote Code Execution.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 9.8 (Critical)

Affected Version

Git LFS 2.12.0. As per this site, it affects lot more products, like  Git / GitHub CLI / GitHub Desktop, Basically the whole Windows dev world which uses git.

Vulnerability Attribution

This vulnerability is reported by MITRE

Risk Impact

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server like GitHub.com or GitHub Enterprise. So, exploiting this vulnerability and placing backdoor can exfiltrate your data sensitive data. This vulnerability can also be used to perform lateral movement and exploit other Git based vulnerabilities. Public exploits are available here and here. There are video on YouTube showing how to exploit GitHub desktop. As per GitHub page – this vulnerability affects and is tested on  git, GitHub CLI, GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken

Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP)-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.