HSEC-2023-0009..0013: git-annex historical advisories

Author: frasertweedale

advisories/hackage/git-annex/HSEC-2023-0009.md

@@ -0,0 +1,46 @@
+```toml
+[advisory]
+id = "HSEC-2023-0009"
+cwe = [20, 78]
+keywords = ["ssh", "command-injection", "historical"]
+aliases = ["CVE-2017-12976"]
+related = ["CVE-2017-9800", "CVE-2017-12836", "CVE-2017-1000116", "CVE-2017-1000117"]
+
+[[affected]]
+package = "git-annex"
+cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+[[affected.versions]]
+introduced = "0.1"
+fixed = "6.20170818"
+
+[[references]]
+type = "ADVISORY"
+url = "https://git-annex.branchable.com/security/CVE-2017-12976/"
+[[references]]
+type = "FIX"
+url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=df11e54788b254efebb4898b474de11ae8d3b471"
+```
+
+# *git-annex* command injection via malicious SSH hostname
+
+*git-annex* was vulnerable to the same class of security hole as
+git's **CVE-2017-1000117**. In several cases, `git-annex` parses a
+repository URL, and uses it to generate a `ssh` command, with the
+hostname to ssh to coming from the URL. If the hostname it parses is
+something like `-eProxyCommand=evil`, this could result in arbitrary
+local code execution.
+
+Some details of URL parsing may prevent the exploit working in some
+cases.
+
+Exploiting this would involve the attacker tricking the victim into
+adding a remote something like `ssh://-eProxyCommand=evil/blah`.
+
+One possible avenue for an attacker that avoids exposing the URL to
+the user is to use `initremote` with an SSH remote, so embedding the
+URL in the *git-annex* branch. Then the victim would enable it with
+`enableremote`.
+
+This was fixed in version **6.20170818**. Now there's a `SshHost`
+type that is not allowed to start with a dash, and every invocation
+of `git-annex` uses a function that takes a `SshHost`.

advisories/hackage/git-annex/HSEC-2023-0010.md

@@ -0,0 +1,78 @@
+```toml
+[advisory]
+id = "HSEC-2023-0010"
+cwe = [200, 610]
+keywords = ["exfiltration", "historical"]
+aliases = ["CVE-2018-10857"]
+
+[[affected]]
+package = "git-annex"
+cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+[[affected.versions]]
+introduced = "0.1"
+fixed = "6.20180626"
+
+[[references]]
+type = "ADVISORY"
+url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/"
+```
+
+# *git-annex* private data exfiltration to compromised remote
+
+Some uses of git-annex were vulnerable to a private data exposure
+and exfiltration attack. It could expose the content of files
+located outside the *git-annex* repository, or content from a
+private web server on localhost or the LAN.  Joey Hess discovered
+this attack.
+
+To perform this attack, the attacker needs to have control over one
+of the remotes of the victim's *git-annex* repository. For example,
+they may provide a public *git-annex* repository that the victim
+clones. Or, equivalantly, the attacker could have read access to the
+victim's *git-annex* repository or a repository it pushes to, and
+some channel to get commits into it (e.g. pull requests).
+
+These exploits are most likely to succeed when the victim is running
+the `git-annex` assistant, or is periodically running `git annex
+sync --content`.
+
+To perform the attack the attacker runs `git-annex addurl --relaxed
+file:///etc/passwd` and commits this to the repository in some out
+of the way place.  After the victim's git repository receives that
+change, `git-annex` follows the attacker-provided URL to the private
+data, which it stores in the *git-annex* repository.  From there it
+transfers the content to the remote *git-annex* repository that the
+attacker has access to.
+
+As well as `file:///` URLs, the attacker can use URLs to private web
+servers.  The URL can also be one that the attacker controls, that
+redirects to a URL that is accessible to the victim system (and not
+necessarily the compromised remote).
+
+## Fix
+
+The issue was fixed by making `git-annex` refuse to follow
+`file:///` urls and URLs pointing to private/local IP addresses by
+default.  Two new configuration settings,
+`annex.security.allowed-url-schemes` and
+`annex.security.allowed-ip-addresses`, can relax this security
+policy, and are intended for cases where the *git-annex* repository
+is kept private and so the attack does not apply.
+
+## Impact on external special remotes
+
+One variant of this issue can exploit a vulnerable external special
+remote, and could not be prevented by `git-annex`.  (`git-annex`'s
+own built-in special remotes are not vulnerable to this attack.)
+
+In this attack variant, the attacker guesses the hash of a file
+stored on the victim's private web server, and adds it to the
+`git-annex` repository.  The attacker also has control of the server
+hosting an encrypted special remote used by the victim's *git-annex*
+repository.  They cause that server to redirect to the victim's web
+server.  This allows the attacker to verify if the victim's web
+server contains a file that the attacker already knows the content
+of, assuming they can guess the URL to it.
+
+Developers of external special remotes are encouraged to prevent
+this attack by not following such HTTP redirects.

advisories/hackage/git-annex/HSEC-2023-0011.md

@@ -0,0 +1,47 @@
+```toml
+[advisory]
+id = "HSEC-2023-0011"
+cwe = [200]
+keywords = ["exfiltration", "pgp", "historical"]
+aliases = ["CVE-2018-10859"]
+related = ["HSEC-2023-0010", "CVE-2018-10857"]
+
+[[affected]]
+package = "git-annex"
+cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+[[affected.versions]]
+introduced = "0.20110417"
+fixed = "6.20180626"
+
+[[references]]
+type = "ADVISORY"
+url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/"
+```
+
+# *git-annex* GPG decryption attack via compromised remote
+
+A malicious server for a special remote could trick `git-annex` into
+decrypting a file that was encrypted to the user's GPG key.  This
+attack could be used to expose encrypted data that was never stored
+in *git-annex*.  Daniel Dent discovered this attack in collaboration
+with Joey Hess.
+
+To perform this attack the attacker needs control of a server
+hosting an *encrypted* special remote used by the victim's
+*git-annex* repository.  The attacker uses `git annex addurl
+--relaxed` with an innocuous URL, and waits for the user's
+`git-annex` to download it, and upload an (encrypted) copy to the
+special remote they also control.  At some later point, when the
+user downloads the content from the special remote, the attacker
+instead sends them the content of the GPG-encrypted file that they
+wish to have decrypted in its place (which may have been exfiltrated
+from the victim's system via the attack described in
+**HSEC-2023-0010** / **CVE-2018-10857**, or acquired by other
+means).  Finally, the attacker drops their own copy of the original
+innocuous URL, and waits for the victim `git-annex` to send them the
+accidentially decrypted file.
+
+The issue was fixed by making `git-annex` refuse to download
+encrypted content from special remotes, unless it knows the hash of
+the expected content.  When the attacker provides some other
+GPG-encrypted content, it will fail the hash check and be discarded.

advisories/hackage/git-annex/HSEC-2023-0012.md

@@ -0,0 +1,34 @@
+```toml
+[advisory]
+id = "HSEC-2023-0012"
+cwe = [200]
+keywords = ["historical"]
+
+[[affected]]
+package = "git-annex"
+cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+[[affected.versions]]
+introduced = "0.20110417"
+fixed = "6.20160419"
+
+[[references]]
+type = "ADVISORY"
+url = "https://git-annex.branchable.com/security/checksum_exposure_to_encrypted_special_remotes/"
+[[references]]
+type = "FIX"
+url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=b890f3a53d936b5e40aa9acc5876cb98f18b9657"
+```
+
+# *git-annex* checksum exposure to encrypted special remotes
+
+A bug exposed the checksum of annexed files to encrypted special
+remotes, which are not supposed to have access to the checksum of
+the un-encrypted file.  This only occurred when resuming uploads to
+the encrypted special remote, so it is considered a low-severity
+security hole.
+
+For details, see commit `b890f3a53d936b5e40aa9acc5876cb98f18b9657`.
+
+No CVE was assigned for this issue.
+
+Fixed in *git-annex-6.20160419*.

advisories/hackage/git-annex/HSEC-2023-0013.md

@@ -0,0 +1,73 @@
+```toml
+[advisory]
+id = "HSEC-2023-0013"
+cwe = [312]
+keywords = ["historical"]
+aliases = ["CVE-2014-6274"]
+
+[[affected]]
+package = "git-annex"
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+[[affected.versions]]
+introduced = "0.20110401"
+fixed = "5.20140919"
+
+[[references]]
+type = "ADVISORY"
+url = "https://git-annex.branchable.com/security/CVE-2014-6274/"
+[[references]]
+type = "ARTICLE"
+url = "https://git-annex.branchable.com/upgrades/insecure_embedded_creds/"
+```
+
+# *git-annex* plaintext storage of embedded credentials on encrypted remotes
+
+*git-annex* had a bug in the **S3** and **Glacier** remotes where if
+`embedcreds=yes` was set, and the remote used `encryption=pubkey` or
+`encryption=hybrid`, the embedded AWS credentials were stored in the
+Git repository in (effectively) plaintext, not encrypted as they
+were supposed to be.
+
+That means that anyone who gets a copy of the Git repository can
+extract the AWS credentials from it.  Which would be bad.
+
+A remote with this problem cannot be enabled using `git annex
+enableremote`. Old versions of *git-annex* will fail with a GPG
+error; the current version will fail with a pointer to this web
+page.
+
+## Remediation
+
+If your repository has this problem, chose from one of these
+approaches to deal with it:
+
+1. Change your AWS credentials, so the ones stored in the clear in
+   git won't be used.
+
+   After changing the credentials, make sure you have a fixed
+   version of git-annex, and you can then re-embed the new creds
+   into the repository, encrypted this time, by setting the
+   `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` environment
+   variables, and running `git annex enableremote $remotename
+   embedcreds=yes`.
+
+2. Fix the problem and then remove the history of the *git-annex*
+   branch of the repository.
+
+   Make sure you have a fixed version of *git-annex*, and force
+   *git-annex* to rewrite the embedded creds, with encryption this
+   time, by setting by setting the `AWS_SECRET_ACCESS_KEY` and
+   `AWS_ACCESS_KEY_ID` environment variables, and running `git annex
+   enableremote $remotename embedcreds=yes`.
+
+   Then, to get rid of old versions of the *git-annex* branch that
+   still contains the creds in cleartext, you can use `git annex
+   forget`; note that it will remove other historical data too.
+
+   Keep in mind that this will not necessarily delete data from
+   clones you do not control.
+
+3. If you're sure that you're the only one who has access to the
+   repository, you could decide to leave it as-is.  It's no more
+   insecure than if you had used `encryption=shared` in the first
+   place when setting it up.