Addressing Git Vulnerabilities in Ubuntu 18.04 and 16.04
Canonical has released security updates for Ubuntu 16.04 ESM and Ubuntu 18.04 ESM to address multiple vulnerabilities in Git, a powerful and widely-used distributed version control system. These vulnerabilities may allow malicious attackers to overwrite files outside the repository, inject arbitrary configuration, or even execute arbitrary code.
In this article, we’ll explore the details of these vulnerabilities and how to protect end-of-life Linux systems that may still be at risk.
Overview of Git Vulnerabilities
Several issues were identified that could compromise system security. Here are the vulnerabilities that have been fixed:
CVE-2023-25815
Discovered by Maxime Escourbiac and Yassine Bengana, this vulnerability involves incorrect handling of certain gettext machinery in Git. It could allow attackers to craft and place malicious messages in the system, which could have serious implications for the integrity of your data.
CVE-2024-32002
This vulnerability involves Git’s improper handling of submodules. Attackers could exploit this flaw to execute arbitrary code, posing a significant risk to system integrity.
CVE-2024-32004 and CVE-2024-32465
These vulnerabilities involve improper handling of cloned repositories. If exploited, attackers could use them to execute arbitrary code on the system. The patches for these issues have been released for Ubuntu 18.04.
CVE-2024-32020
Git’s mishandling of local clones with hardlinked files or directories opened up another avenue for attackers. They could place a specialized repository on a target’s system, leading to possible code execution or data manipulation. This issue was patched in Ubuntu 18.04.
CVE-2024-32021
This vulnerability pertains to Git’s incorrect handling of certain symlinks. An attacker could create hardlinked arbitrary files into the repository’s object directory, threatening the availability and integrity of the system. Ubuntu 18.04 received a patch to address this issue.
Protecting Your Systems
To mitigate the risks posed by these vulnerabilities, it’s crucial to update your Git installation to the latest version. Canonical, the company behind Ubuntu, has released security updates for various Ubuntu versions, including those under Extended Security Maintenance (ESM).
For Ubuntu users on older, end-of-life versions like Ubuntu 16.04 and 18.04, Canonical offers ESM through the Ubuntu Pro subscription. However, the service comes at a high cost and may not be feasible for all organizations, particularly businesses with budget constraints.
TuxCare’s Extended Lifecycle Support (ELS)
For organizations running end-of-life Ubuntu versions, TuxCare’s ELS offers an affordable solution. ELS provides five years of vendor-grade security patches after the official end-of-life date, covering over 140 packages, including Git, Linux kernel, OpenSSL, glibc, and more.
TuxCare currently supports the following Linux distributions:
- CentOS 6, CentOS 7, and CentOS 8
- CentOS Stream 8
- Oracle Linux 6 and Oracle Linux 7
- Ubuntu 16.04 and Ubuntu 18.04
The extended support allows organizations to continue using their existing infrastructure while ensuring it remains secure and compliant. For enterprises operating on legacy systems, TuxCare provides a reliable and cost-effective way to maintain security without the need for disruptive upgrades or migrations.
Source: USN-7023-1