CVE-2021-21237 in Git LFS
Summary
by MITRE • 01/16/2021
Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/15/2021
The vulnerability identified as CVE-2021-21237 represents a critical security flaw in Git LFS version 2.13.1 and earlier, specifically affecting Windows operating systems. This issue arises from a fundamental design oversight in how Git LFS handles command execution on Windows platforms, where the system's PATH resolution behavior differs significantly from Unix-like systems. The vulnerability stems from Git LFS's improper handling of executable file resolution when processing repositories containing malicious git.bat or git.exe files in the current working directory, creating a privilege escalation vector that allows attackers to execute arbitrary code with the privileges of the user running Git LFS. This flaw directly maps to CWE-78, which describes improper neutralization of special elements used in OS commands, and specifically relates to CWE-426, which addresses the execution of untrusted code or commands. The vulnerability is particularly concerning because it leverages the inherent Windows behavior where the current directory is prioritized in command resolution, a feature that differs from Unix systems where PATH resolution is more strictly controlled.
The technical implementation of this vulnerability occurs when Git LFS processes a repository that contains a malicious executable file named git.bat or git.exe in the current working directory. When Git LFS attempts to execute Git commands, it fails to properly resolve the command path, instead executing the malicious file from the current directory rather than the intended system Git installation. This behavior is a direct consequence of how Go's runtime handles command execution on Windows, where the operating system's default search order includes the current directory before the PATH environment variables. The issue is particularly insidious because it requires no user interaction beyond cloning or interacting with the malicious repository, making it a passive attack vector that can be exploited through social engineering or by simply encountering a compromised repository in a trusted environment. This vulnerability represents a regression from the previous fix for CVE-2020-27955, indicating that the initial mitigation was incomplete or improperly implemented, leaving the system vulnerable to the same class of attack.
The operational impact of CVE-2021-21237 is significant for organizations and individuals using Git LFS on Windows systems, as it provides attackers with a straightforward method to execute arbitrary code without requiring elevated privileges or complex exploitation techniques. This vulnerability affects any Windows user who interacts with Git LFS, particularly those who may clone repositories from untrusted sources or work in environments where repository integrity cannot be guaranteed. The attack surface is broad since Git LFS is commonly used in development environments, CI/CD pipelines, and collaborative software development workflows where users frequently interact with multiple repositories. The vulnerability can be exploited through various attack vectors including malicious repositories shared via code repositories, compromised development environments, or through supply chain attacks where attackers compromise legitimate repositories to distribute malicious content. From an ATT&CK framework perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1203 (Exploitation for Client Execution), with potential for lateral movement and privilege escalation if the affected system has elevated permissions. The lack of effective workarounds beyond avoiding untrusted repositories or switching to Unix systems makes this vulnerability particularly dangerous in enterprise environments where Windows-based development is prevalent.
Mitigation strategies for CVE-2021-21237 are limited to upgrading to Git LFS version 2.13.2 or later, which contains the proper fix for this issue. The fix addresses the root cause by implementing proper command path resolution that prevents execution of local executables when Git LFS needs to execute Git commands. Organizations should immediately implement patch management procedures to ensure all Windows systems running Git LFS are updated to the patched version. Additional protective measures include implementing repository security policies that restrict access to untrusted repositories, using automated tools to scan repositories for malicious content, and establishing secure coding practices that prevent the creation of repositories containing malicious executables. Security teams should also monitor for indicators of compromise related to this vulnerability, including unusual Git LFS activity or unexpected command execution patterns. Given that the vulnerability is Windows-specific, organizations with mixed operating system environments may consider implementing additional controls for Windows systems or restricting Git LFS usage on Windows platforms until all systems are patched. The vulnerability highlights the importance of proper command execution handling in cross-platform applications and underscores the need for thorough testing of security fixes to prevent regression issues that can leave systems vulnerable to previously addressed threats.