通告编号:NS-2020-0028
2020-04-16
| TAG: |
| 漏洞危害: |
| 版本: |
1
漏洞概述
4月15日,Git发布安全通告公布了一个导致Git用户凭证泄露的漏洞(CVE-2020-5260)。Git使用凭证助手(credential helper)来帮助用户存储和检索凭证。当URL中包含经过编码的换行符(%0a)时,可能将非预期的值注入到credential helper的协议流中。受影响版本 Git对恶意 URL 执行 git clone 命令时会触发此漏洞,攻击者可利用恶意URL欺骗Git客户端发送主机凭据。请相关用户采取措施进行防护。 参考链接:<p style="text-indent: 28px; line-height: 1.75em;">
<span style="line-height: 107%; color: black; background: none 0% 0% repeat scroll white; font-family: 微软雅黑, 'Microsoft YaHei';">https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q</span>
</p>
<p style="text-align: left; line-height: 1.75em; text-indent: 0em;">
</section> </section> </section> <section style="padding: 10px; color: #ffffff; margin-top: -15px; margin-right: auto; margin-left: auto; display: inline-block; border-color: #004738; border-radius: 5px; background-color: #004738; box-sizing: border-box;">
<p style="color: inherit;">
<strong style="color: inherit;">SEE MORE →</strong>
</p></section> </section> </section> </section> <section> <section style="box-sizing: border-box; border: 0px none initial;" data-tools="135编辑器" data-id="41173"> <section style="display: inline-block; box-sizing: border-box; border: 0px none initial;" data-tools="135编辑器" data-id="41173" data-color="#004738" data-custom="#004738">
<p style="text-align: justify; margin-top: 8px; padding-right: 10px; font-weight: bold; line-height: 28px; max-width: 100%; color: #004738; min-height: 32px; border-bottom: 1.5px solid #004738; border-top-color: #004738; border-right-color: #004738; border-left-color: #004738;">
<span style="margin-right: 8px; padding: 4px 10px; color: #ffffff; display: block; float: left; line-height: 20px; max-width: 100%; background-color: #004738;" title="" data-original-title="">2</span><strong style="border-color: #004738; color: inherit;" data-brushtype="text">影响范围</strong>
</p></section> </section>
<p style="line-height: 1.75em;">
<strong style="font-size: 15px; caret-color: red; font-family: 微软雅黑, 'Microsoft YaHei';">受影响版本</strong>
</p><section style="box-sizing: border-box;"> <section data-role="list"> <section data-role="list">
<ul class="list-paddingleft-2" style="padding-left: 30px;">
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.17.x <= 2.17.3</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.18.x <= 2.18.2</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.19.x <= 2.19.3</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.20.x <= 2.20.2</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.21.x <= 2.21.1</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.22.x <= 2.22.2</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.23.x <= 2.23.1</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.24.x <= 2.24.1</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.25.x <= 2.25.2</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">Git 2.26.x <= 2.26.0</span>
</p>
</li>
</ul></section> </section>
<p style="line-height: 1.75em;">
<span style="font-size: 15px; font-family: 微软雅黑, 'Microsoft YaHei';"><strong>不受影响版本</strong></span>
</p><section data-role="list"> <section data-role="list">
<ul class="list-paddingleft-2" style="padding-left: 30px;">
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.17.4</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.18.3</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.19.4</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.20.3</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.21.2</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.22.3</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.23.2</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.24.2</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.25.3</span>
</p>
</li>
<li>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px;">Git 2.26.1</span>
</p>
</li>
</ul></section> </section>
<p style="text-align: left; line-height: 20px;">
<section style="display: inline-block; box-sizing: border-box; border: 0px none initial;" data-tools="135编辑器" data-id="41173" data-color="#004738" data-custom="#004738">
<p style="text-align: justify; margin-top: 8px; padding-right: 10px; font-weight: bold; line-height: 28px; max-width: 100%; color: #004738; min-height: 32px; border-bottom: 1.5px solid #004738; border-top-color: #004738; border-right-color: #004738; border-left-color: #004738;">
<span style="margin-right: 8px; padding: 4px 10px; color: #ffffff; display: block; float: left; line-height: 20px; max-width: 100%; background-color: #004738;" title="" data-original-title="">3</span>漏洞检测
</p></section> </section> <section style="box-sizing: border-box;">
<p style="line-height: 1.75em;">
<strong><span style="font-size: 15px; font-family: 微软雅黑, 'Microsoft YaHei';">3.1 版本检测<br /> </span></strong>
</p></section>
<p style="text-align: left; text-indent: 28px; line-height: 125%;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">相关用户可通过版本检测的方式判断当前应用是否存在风险。</span>
</p>
<p style="text-align: left; text-indent: 28px; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">使用如下命令可查看当前Git的版本:</span>
</p>
<table width="100%" cellspacing="0" cellpadding="0">
<tr>
<td style="border-width: 2px; border-color: windowtext; background: none 0% 0% repeat scroll #bfbfbf; padding: 0px 7px;" valign="top">
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">git --version</span>
</p>
</td>
</tr>
</table>
<p style="text-align: center;">
<p style="text-align: left; text-indent: 28px; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">若当前使用版本在受影响范围内,则可能存在安全风险。</span>
</p><section style="display: inline-block; box-sizing: border-box; border: 0px none initial;" data-tools="135编辑器" data-id="41173" data-color="#004738" data-custom="#004738">
<p style="text-align: justify; margin-top: 8px; padding-right: 10px; font-weight: bold; line-height: 28px; max-width: 100%; color: #004738; min-height: 32px; border-bottom: 1.5px solid #004738; border-top-color: #004738; border-right-color: #004738; border-left-color: #004738;">
<span style="margin-right: 8px; padding: 4px 10px; color: #ffffff; display: block; float: left; line-height: 20px; max-width: 100%; background-color: #004738;" title="" data-original-title="">4</span>漏洞防护
</p></section> </section> <section>
<p style="line-height: 1.75em;">
<strong><span style="font-size: 15px; font-family: 微软雅黑, 'Microsoft YaHei';">4.1 官方升级<br /> </span></strong>
</p>
<p style="text-align: left; text-indent: 28px; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">目前官方已在最新版本中修复了该漏洞,请受影响的用户尽快升级版本进行防护,官方下载链接:https://github.com/git/git/releases</span>
</p>
<p style="text-align: left; text-indent: 28px; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">可使用如下命令进行安装更新(以2.23.2为例):</span>
</p>
<table width="100%" cellspacing="0" cellpadding="0">
<tr>
<td style="border-width: 2px; border-color: windowtext; background: none 0% 0% repeat scroll #bfbfbf; padding: 0px 7px;" valign="top">
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">wget https://github.com/git/git/archive/v2.23.2.tar.gz</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">tar zxvf v2.23.2.tar.gz</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">cd git-2.23.2</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">make configure</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">./configure --prefix=/usr/local/git --with-iconv=/usr/local/libiconv</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">make all doc</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">make install install-doc install-html</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">echo "export PATH=$PATH:/usr/local/git/bin:/usr/local/git/libexec/git-core" >> /etc/bashrc</span>
</p>
</td>
</tr>
</table>
<p style="line-height: 1.75em;">
<p style="line-height: 1.75em;">
<strong><span style="font-size: 15px; font-family: 微软雅黑, 'Microsoft YaHei';">4.2 其他防护措施</span></strong>
</p>
<p style="text-align: left; text-indent: 28px; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;"><span style="line-height: 125%; background: none 0% 0% repeat scroll white;">若相关用户暂时无法进行升级操作,也</span><span style="line-height: 125%;">可采用以下措施进行防护:</span></span>
</p>
<p style="text-align: left; text-indent: 28px; background: none 0% 0% repeat scroll white; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;"><strong><span style="line-height: 125%;">方法一:使用以下命令禁用</span></strong><strong><span style="line-height: 125%;">credential helper</span></strong></span>
</p>
<table width="100%" cellspacing="0" cellpadding="0">
<tr>
<td style="border-color: windowtext; background: none 0% 0% repeat scroll #bfbfbf; padding: 0px 7px;" valign="top">
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">git config --unset credential.helper</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">git config --global --unset credential.helper</span>
</p>
<p style="text-align: left; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;">git config --system --unset credential.helper</span>
</p>
</td>
</tr>
</table>
<p style="margin-bottom: 10px; text-indent: 32px; background: none 0% 0% repeat scroll white; line-height: 1.75em;">
<p style="text-align: left; text-indent: 28px; background: none 0% 0% repeat scroll white; line-height: 1.75em;">
<span style="font-size: 14px; font-family: 微软雅黑, Microsoft YaHei;"><strong><span style="line-height: 125%;">方法二:提高警惕避免恶意</span></strong><strong><span style="line-height: 125%;">URL</span></strong></span>
</p>
<p style="text-align: left; text-indent: 28px; line-height: 1.75em;">
<span style="line-height: 125%; background: none 0% 0% repeat scroll white; font-size: 14px; font-family: 微软雅黑, 'Microsoft YaHei';">1、git clone时检查URL的主机名和用户名部分是否存在编码的换行符(%0a)或凭据协议注入的证据(例如host=github.com)。</span>
</p>
<p style="text-align: left; text-indent: 28px; line-height: 1.75em;">
<span style="line-height: 125%; background: none 0% 0% repeat scroll white; font-size: 14px; font-family: 微软雅黑, 'Microsoft YaHei';">2、避免将子模块与不受信任的仓库一起使用(不要使用clone --recurse-submodules;只有在检查.gitmodules中找到url之后,才使用git submodule update)。</span>
</p>
<p style="text-align: left; text-indent: 28px; line-height: 1.75em;">
<span style="line-height: 125%; background: none 0% 0% repeat scroll white; font-size: 14px; font-family: 微软雅黑, 'Microsoft YaHei';">3、请勿对不信任的URL执行git clone。</span>
</p>
<p style="text-align: center; line-height: 1.75em;">
<p style="text-align: center; line-height: 1.75em;">
</section> </section>
<p style="text-align: center; font-family: Helvetica, Arial, sans-serif;">
<span style="color: #004738;"><strong style="line-height: 1.8;">END</strong></span>
</p>
<p style="text-align: center; font-family: Helvetica, Arial, sans-serif;">
<span style="line-height: 1.8;">作者:绿盟科技威胁对抗能力部</span>
</p><section style="box-sizing: border-box; font-family: Helvetica, Arial, sans-serif; border: 0px none initial;"> <section style="text-align: center; box-sizing: border-box;"> <section style="display: inline-block; width: 150px; box-sizing: border-box;">
<img decoding="async" class="aligncenter" src="https://www.kubehan.cn/wp-content/uploads/2020/04/frc-2a48ebb68d973c69cea63e7d48ef54e1.png" alt="【漏洞通告】Git凭证泄露漏洞(CVE-2020-5260)通告" /> </section> </section> </section> <section style="box-sizing: border-box; font-family: Helvetica, Arial, sans-serif; border: 0px none initial;"> <section style="text-align: center; box-sizing: border-box;"> <section style="display: inline-block; box-sizing: border-box;"><img decoding="async" class="aligncenter" src="https://www.kubehan.cn/wp-content/uploads/2020/04/frc-145ee74f0b6a5fccc5818a48960b4c59.jpeg" alt="【漏洞通告】Git凭证泄露漏洞(CVE-2020-5260)通告" /> </section> </section> </section> <section style="box-sizing: border-box; font-family: Helvetica, Arial, sans-serif; border: 0px none initial;" data-color="#6fba2c" data-custom="#6fba2c"> <section style="width: 100%; box-sizing: border-box;"> <section style="padding-right: 10px; padding-left: 10px; line-height: 30px; height: 30px; color: #ffffff; background-color: #6fba2c; text-align: center; box-sizing: border-box;"><strong>声明</strong></section> <section style="padding: 10px; background-color: #fafafa; color: #666666; line-height: 30px; box-sizing: border-box;">
<p style="font-size: 14px; color: #555555; font-variant-numeric: normal; line-height: 28.8px; widows: 1; text-indent: 28px;">
本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。
</p>
<p style="font-size: 14px; color: #555555; font-variant-numeric: normal; line-height: 28.8px; widows: 1; text-indent: 28px;">
绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。
</p><section style="font-size: 14px; box-sizing: border-box; border: 0px none initial;"> <section style="text-align: center; box-sizing: border-box;">
<p style="text-align: center; display: inline-block;">
<img decoding="async" class="aligncenter" src="https://www.kubehan.cn/wp-content/uploads/2020/04/frc-145ee74f0b6a5fccc5818a48960b4c59.jpeg" alt="【漏洞通告】Git凭证泄露漏洞(CVE-2020-5260)通告" />
</p></section> </section> </section> </section> </section> <section style="box-sizing: border-box; border: 0px none initial;" data-tools="135编辑器" data-id="85996"> <section style="text-align: center; box-sizing: border-box;"> <section style="padding: 40px; background-color: #f4f4f4; box-sizing: border-box;"> <section style="margin-bottom: 10px; box-sizing: border-box;">
<span style="color: #030303; font-weight: 600; font-size: 24px; font-family: arial, helvetica, sans-serif;" data-brushtype="text">绿盟科技安全情报</span> <span style="font-size: 40px; color: #3f3f3f;">∣</span><span style="color: #030303;" data-brushtype="text">微信公众号</span></section> <section style="box-sizing: border-box;"> <section style="margin-top: 14px; display: inline-block; vertical-align: top; width: 50%; text-align: right; box-sizing: border-box;" data-width="50%"><img decoding="async" class="aligncenter" src="https://www.kubehan.cn/wp-content/uploads/2020/04/frc-5f91c74212bb9c8191aa6a3cc529e729.jpeg" alt="【漏洞通告】Git凭证泄露漏洞(CVE-2020-5260)通告" /></section> <section style="padding-left: 10px; display: inline-block; width: 50%; text-align: left; box-sizing: border-box;" data-width="50%"><img decoding="async" class="aligncenter" src="https://www.kubehan.cn/wp-content/uploads/2020/04/frc-731e3a7317eae184eeee6fe7ce8b0ccd.png" alt="【漏洞通告】Git凭证泄露漏洞(CVE-2020-5260)通告" /></section> </section> <section style="margin-top: 6px; box-sizing: border-box;"><span style="color: #0c0c0c;" data-brushtype="text">长按识别二维码,关注网络安全威胁信息</span></section> </section> </section> </section> </section>