How Clone2Leak Attacks are Exploiting Git Flaws to Steal Your Credentials, A Quick Look at what to know.

A new set of attacks, known as Clone2Leak, has been discovered. These attacks exploit flaws in Git and its credential helpers to steal user credentials. The vulnerabilities were identified by Japanese researcher RyotaK of GMO Flatt Security. This article delves into the details of these attacks and provides insights on how to protect against them.

How Clone2Leak Exploits Git Authentication

Clone2Leak consists of three distinct but related attacks that target Git’s authentication mechanisms. These attacks exploit how Git and its credential helpers handle authentication requests. The flaws allow attackers to trick Git into leaking stored credentials to a malicious server.

Carriage Return Smuggling Attack

One of the attacks, known as carriage return smuggling, exploits vulnerabilities in GitHub Desktop and Git Credential Manager. Attackers use malicious submodule URLs containing carriage return characters (%0D) to trick the credential helper into sending GitHub credentials to an attacker-controlled server instead of the intended host.

Newline Injection Vulnerability

Another attack, called newline injection, targets Git LFS. This attack exploits improper handling of newline characters in .lfsconfig files. Attackers can alter credential requests so that Git returns GitHub credentials to a malicious server instead of the correct one.

Logic Flaws in GitHub Credential Retrieval

The third attack involves logic flaws in credential retrieval in GitHub CLI and GitHub Codespaces. These tools had overly permissive credential helpers that sent authentication tokens to unintended hosts. Attackers could steal GitHub access tokens by getting a user to clone a malicious repository inside Codespaces.

Mitigation Strategies and Recommendations

Security updates have been released to address these vulnerabilities. Users are urged to ensure they are running the latest versions of affected tools to mitigate the risk of credential leaks. The safe versions to upgrade to are GitHub Desktop 3.4.12 or newer, Git Credential Manager 2.6.1 or newer, Git LFS 3.6.1 or later, and gh cli 2.63.0 or later.

Additionally, enabling Git’s ‘credential.protectProtocol’ is recommended as an extra layer of defense against credential smuggling attacks. Users should also audit their credential configurations and be cautious when cloning repositories.

Conclusion

While Clone2Leak attacks have not been actively exploited in the wild, the details are now public, and the risk of attacks is elevated. It is crucial for users to stay vigilant and ensure their tools are updated to protect against these vulnerabilities.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it