cvelistv5 - cve-2024-35197

CVE-2024-35197 (GCVE-0-2024-35197)

Vulnerability from cvelistv5 – Published: 2024-05-23 12:09 – Updated: 2024-08-02 03:07

Summary

gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could interrupt the application.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CWE

CWE-67 - Improper Handling of Windows Device Names

Assigner

GitHub_M

References

URL

Tags

https://github.com/Byron/gitoxide/security/adviso…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Byron	gitoxide	Affected: < 0.36.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "gitoxide",
            "vendor": "byron",
            "versions": [
              {
                "lessThan": "0.36.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35197",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T15:29:05.667742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:47.644Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:07:46.729Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gitoxide",
          "vendor": "Byron",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.36.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could interrupt the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-67",
              "description": "CWE-67: Improper Handling of Windows Device Names",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-23T12:09:09.044Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9"
        }
      ],
      "source": {
        "advisory": "GHSA-49jc-r788-3fc9",
        "discovery": "UNKNOWN"
      },
      "title": "gix refs and paths with reserved Windows device names access the devices"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-35197",
    "datePublished": "2024-05-23T12:09:09.044Z",
    "dateReserved": "2024-05-10T14:24:24.343Z",
    "dateUpdated": "2024-08-02T03:07:46.729Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could interrupt the application.\"}, {\"lang\": \"es\", \"value\": \"gitoxide es una implementaci\\u00f3n Rust pura de Git. En Windows, al buscar referencias que chocan con nombres de dispositivos heredados se leen desde los dispositivos y al verificar rutas que chocan con dichos nombres se escriben datos arbitrarios en los dispositivos. Esto permite que un repositorio, cuando se clona, provoque un bloqueo indefinido o la producci\\u00f3n de mensajes arbitrarios que parecen provenir de la aplicaci\\u00f3n, y potencialmente otros efectos da\\u00f1inos en circunstancias limitadas. Si no se utiliza Windows, o los repositorios que no son de confianza no se clonan ni se utilizan de otro modo, no hay ning\\u00fan impacto. Tambi\\u00e9n es posible que se produzca una degradaci\\u00f3n menor de la disponibilidad, como en el caso de un archivo muy grande llamado \\\"CON\\\", aunque el usuario podr\\u00eda interrumpir la aplicaci\\u00f3n.\"}]",
      "id": "CVE-2024-35197",
      "lastModified": "2024-11-21T09:19:54.787",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}]}",
      "published": "2024-05-23T13:15:09.153",
      "references": "[{\"url\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-67\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35197\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-23T13:15:09.153\",\"lastModified\":\"2024-11-21T09:19:54.787\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could interrupt the application.\"},{\"lang\":\"es\",\"value\":\"gitoxide es una implementaci\u00f3n Rust pura de Git. En Windows, al buscar referencias que chocan con nombres de dispositivos heredados se leen desde los dispositivos y al verificar rutas que chocan con dichos nombres se escriben datos arbitrarios en los dispositivos. Esto permite que un repositorio, cuando se clona, provoque un bloqueo indefinido o la producci\u00f3n de mensajes arbitrarios que parecen provenir de la aplicaci\u00f3n, y potencialmente otros efectos da\u00f1inos en circunstancias limitadas. Si no se utiliza Windows, o los repositorios que no son de confianza no se clonan ni se utilizan de otro modo, no hay ning\u00fan impacto. Tambi\u00e9n es posible que se produzca una degradaci\u00f3n menor de la disponibilidad, como en el caso de un archivo muy grande llamado \\\"CON\\\", aunque el usuario podr\u00eda interrumpir la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-67\"}]}],\"references\":[{\"url\":\"https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9\", \"name\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T03:07:46.729Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35197\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-23T15:29:05.667742Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*\"], \"vendor\": \"byron\", \"product\": \"gitoxide\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.36.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T15:38:06.091Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"gix refs and paths with reserved Windows device names access the devices\", \"source\": {\"advisory\": \"GHSA-49jc-r788-3fc9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Byron\", \"product\": \"gitoxide\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.36.0\"}]}], \"references\": [{\"url\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9\", \"name\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could interrupt the application.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-67\", \"description\": \"CWE-67: Improper Handling of Windows Device Names\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-23T12:09:09.044Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-35197\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T03:07:46.729Z\", \"dateReserved\": \"2024-05-10T14:24:24.343Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-23T12:09:09.044Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-35197

Vulnerability from fkie_nvd - Published: 2024-05-23 13:15 - Updated: 2024-11-21 09:19

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact. A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could interrupt the application."
    },
    {
      "lang": "es",
      "value": "gitoxide es una implementaci\u00f3n Rust pura de Git. En Windows, al buscar referencias que chocan con nombres de dispositivos heredados se leen desde los dispositivos y al verificar rutas que chocan con dichos nombres se escriben datos arbitrarios en los dispositivos. Esto permite que un repositorio, cuando se clona, provoque un bloqueo indefinido o la producci\u00f3n de mensajes arbitrarios que parecen provenir de la aplicaci\u00f3n, y potencialmente otros efectos da\u00f1inos en circunstancias limitadas. Si no se utiliza Windows, o los repositorios que no son de confianza no se clonan ni se utilizan de otro modo, no hay ning\u00fan impacto. Tambi\u00e9n es posible que se produzca una degradaci\u00f3n menor de la disponibilidad, como en el caso de un archivo muy grande llamado \"CON\", aunque el usuario podr\u00eda interrumpir la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2024-35197",
  "lastModified": "2024-11-21T09:19:54.787",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-23T13:15:09.153",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-67"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-49JC-R788-3FC9

Vulnerability from github – Published: 2024-05-22 14:13 – Updated: 2024-07-16 17:17

Summary

gix refs and paths with reserved Windows device names access the devices

Details

Summary

On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.

Details

It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:

In references, gix-ref does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.
In paths, gix-worktree-state does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.

Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:

Reading a ref whose last component (e.g., tag name) is CON or CONIN$ reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.
Checking out a file named CON or CONOUT$ writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.

Another potentially important case is serial ports. For example, COM1 refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.

Naming Files, Paths, and Namespaces covers most reserved names. CONIN$ and CONOUT$ are also special, and are similar in effect to CON but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, CON.txt is equivalent to CON) and with some variations involving added spaces or colons.

PoC

Ref example

Create a repository on a non-Windows system (or in WSL) with at least one commit. Use git tag CON to create a lightweight tag named CON. Place the repository somewhere it can be cloned on Windows. A file:// URL is sufficient for testing if a private remote is unavailable. If using git push, pass --tags so the remote has the tag.

On a Windows system, clone the repository with gix clone. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with Ctrl+C.

However, if desired, input can be provided. Ending input with Ctrl+Z followed by Enter will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.

Path example

Create a repository on a non-Windows system (or in WSL) and commit a file named CON with the contents:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!

While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a file:// URL is sufficient.

On a Windows system, clone the repository with gix clone. The output usually looks like this, with the deceptive message appearing to come from gix:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
 04:45:15     Resolving done 3.0 objects in 0.05s (58.0 objects/s)
 04:45:15      Decoding done 309B in 0.05s (6.0KB/s)
 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
 04:45:15  create index file done 3.0 objects in 0.05s (55.0 objects/s)
 04:45:15          read pack done 294B in 0.05s (5.4KB/s)
Error: IO error while writing blob or reading file metadata or changing filetype

Caused by:
    Incorrect function. (os error 1)

The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the Error: line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.

Impact

If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.

The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.

For attacks using the CON or CONOUT$ device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as gix appears to recommend it. The user may then be misled into running an attacker's command.

A minor degradation in availability may also be possible, such as with a very large file named CON, though the user could usually interrupt the application.

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

5.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-worktree-state"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gitoxide"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.36.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-worktree"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.34.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gitoxide-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.38.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.63.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-ref"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-index"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-67"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-22T14:13:24Z",
    "nvd_published_at": "2024-05-23T13:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nOn Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.\n\n### Details\n\nIt is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:\n\n- In references, `gix-ref` does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.\n- In paths, `gix-worktree-state` does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.\n\nSome such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:\n\n- Reading a ref whose last component (e.g., tag name) is `CON` or `CONIN$` reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.\n- Checking out a file named `CON` or `CONOUT$` writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.\n\nAnother potentially important case is serial ports. For example, `COM1` refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.\n\n[Naming Files, Paths, and Namespaces](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions) covers most reserved names. `CONIN$` and `CONOUT$` are also special, and are similar in effect to `CON` but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, `CON.txt` is equivalent to `CON`) and with some variations involving added spaces or colons.\n\n### PoC\n\n#### Ref example\n\nCreate a repository on a non-Windows system (or in WSL) with at least one commit. Use `git tag CON` to create a lightweight tag named `CON`. Place the repository somewhere it can be cloned on Windows. A `file://` URL is sufficient for testing if a private remote is unavailable. If using `git push`, pass `--tags` so the remote has the tag.\n\nOn a Windows system, clone the repository with `gix clone`. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with \u003ckbd\u003eCtrl\u003c/kbd\u003e+\u003ckbd\u003eC\u003c/kbd\u003e.\n\nHowever, if desired, input can be provided. Ending input with \u003ckbd\u003eCtrl\u003c/kbd\u003e+\u003ckbd\u003eZ\u003c/kbd\u003e followed by \u003ckbd\u003eEnter\u003c/kbd\u003e will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.\n\n#### Path example\n\nCreate a repository on a non-Windows system (or in WSL) and commit a file named `CON` with the contents:\n\n```text\nwarning: data loss imminent; you should run EVIL_COMMAND to back up your work!\n```\n\nWhile that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a `file://` URL is sufficient.\n\nOn a Windows system, clone the repository with `gix clone`. The output usually looks like this, with the deceptive message appearing to come from `gix`:\n\n```text\nwarning: data loss imminent; you should run EVIL_COMMAND to back up your work!\n 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)\n 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)\n 04:45:15     Resolving done 3.0 objects in 0.05s (58.0 objects/s)\n 04:45:15      Decoding done 309B in 0.05s (6.0KB/s)\n 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)\n 04:45:15  create index file done 3.0 objects in 0.05s (55.0 objects/s)\n 04:45:15          read pack done 294B in 0.05s (5.4KB/s)\nError: IO error while writing blob or reading file metadata or changing filetype\n\nCaused by:\n    Incorrect function. (os error 1)\n```\n\nThe exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the `Error:` line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.\n\n### Impact\n\nIf Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.\n\nThe impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.\n\nFor attacks using the `CON` or `CONOUT$` device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as `gix` appears to recommend it. The user may then be misled into running an attacker\u0027s command.\n\nA minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could usually interrupt the application.",
  "id": "GHSA-49jc-r788-3fc9",
  "modified": "2024-07-16T17:17:35Z",
  "published": "2024-05-22T14:13:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35197"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Byron/gitoxide"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0351.html"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0352.html"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0353.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "gix refs and paths with reserved Windows device names access the devices"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-35197 (GCVE-0-2024-35197)

FKIE_CVE-2024-35197

GHSA-49JC-R788-3FC9

Summary

Details

PoC

Ref example

Path example

Impact

Tags

Sightings

Nomenclature