rustsec-2023-0002
Vulnerability from osv_rustsec
Published
2023-01-12 12:00
Modified
2023-02-09 03:11
Summary
git2 Rust package suppresses ssh host key checking
Details

By default, when accessing an ssh repository (ie via an ssh: git repository url) the git2 Rust package does not do any host key checking.

Additionally, the provided API is not sufficient for a an application to do meaningful checking itself.

Impact

When connecting to an ssh repository, and when an attacker can redirect the connection (performing a malice-in-the-middle attack) an affected application might:

  • Receive git objects and branches controlled by the attacker, exposing the local system (and whatever happens next) to malicious data. In many circumstances, this could readily lead to privilege escalation.

  • Erroneously send git objects to the attacker, rather than to the intended recipient. If the information is not supposed to be public, this would constitute an information leak. Also, since the data doesn't arrive where intended, it constitutes a denial of service.

Technical details

The git2 Rust package (henceforth, git2-rs) unconditionally calls the underlying C libgit2 functions to set an ssh certificate check callback. The Rust package uses this to offer the ability for the application to set a callback to a Rust function.

The C-level callback function provided by git2-rs 0.15.0 and earlier:

  • Always ignores the is_valid argument provided by libgit2, which indicates whether libgit2 considers the host key valid

  • By default, performs no checks, and then returns code 0, indicating to libgit2 to override libgit2's determination and treat the host key as valid.

  • Provides only limited APIs to the application for examining the supplied host key, and doesn't tell the application whether libgit2's checks succeeded, so it is difficult for the application cannot work around the problem.

Resolution

Upgrade to git2-rs 0.16.x.

The default behaviour in 0.16.x is to honour libgit2's validity determination.

Note that adding this previously skipped check may cause existing setups to stop working.

Relationship to CVE-2022-46176

This bug manifested in cargo where it was assigned CVE-2022-46176.

The same bug exists in other applications which use affected versions of git2-rs unless they never try to access git repositories with ssh: urls.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "crypto-failure"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "git2",
        "purl": "pkg:cargo/git2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.16.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "By default, when accessing an ssh repository\n(ie via an `ssh:` git repository url)\nthe git2 Rust package does not do any host key checking.\n\nAdditionally,\nthe provided API is not sufficient for a an application\nto do meaningful checking itself.\n\n## Impact\n\nWhen connecting to an ssh repository,\nand when an attacker can redirect the connection\n(performing a malice-in-the-middle attack)\nan affected application might:\n\n * Receive git objects and branches controlled by the attacker,\n   exposing the local system (and whatever happens next)\n   to malicious data.\n   In many circumstances,\n   this could readily lead to privilege escalation.\n\n * Erroneously send git objects to the attacker,\n   rather than to the intended recipient.\n   If the information is not supposed to be public,\n   this would constitute an information leak.\n   Also, since the data doesn\u0027t arrive where intended,\n   it constitutes a denial of service.\n\n## Technical details\n\nThe `git2` Rust package (henceforth, git2-rs)\nunconditionally calls the underlying C `libgit2` functions to set\nan ssh certificate check callback.\nThe Rust package uses this to offer\nthe ability for the application to set a callback to a Rust function.\n\nThe C-level callback function provided by git2-rs 0.15.0 and earlier:\n\n * Always ignores the `is_valid` argument provided by `libgit2`,\n   which indicates whether `libgit2` considers the host key valid\n\n * By default, performs no checks, and then\n   returns code `0`,\n   indicating to `libgit2` to override `libgit2`\u0027s determination\n   and treat the host key as valid.\n\n * Provides only limited APIs to the application\n   for examining the supplied host key,\n   and doesn\u0027t tell the application\n   whether `libgit2`\u0027s checks succeeded,\n   so it is difficult for the application cannot work around the problem.\n\n## Resolution\n\nUpgrade to git2-rs 0.16.x.\n\nThe default behaviour in 0.16.x is to\nhonour `libgit2`\u0027s validity determination.\n\nNote that adding this previously skipped check\nmay cause existing setups to stop working.\n\n## Relationship to CVE-2022-46176\n\nThis bug manifested in cargo where it was assigned CVE-2022-46176.\n\nThe same bug exists in other applications which use\naffected versions of git2-rs\nunless they never try to access git repositories with `ssh:` urls.",
  "id": "RUSTSEC-2023-0002",
  "modified": "2023-02-09T03:11:29Z",
  "published": "2023-01-12T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/git2"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0002.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-lang/git2-rs/pull/909"
    },
    {
      "type": "WEB",
      "url": "https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "git2 Rust package suppresses ssh host key checking",
  "withdrawn": "2023-01-13T12:00:00Z"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.