Git Vulnerablity

sgoetz
Contributor

So our Security department has found a major bug with all Git Clients that access Git repositories. https://github.com/blog/1938-vulnerability-announced-update-your-git-clients

Im wondering if anyone knows what the most popular Git Clients are on Mac OS x.

Thanks!

36 REPLIES 36

rtrouton
Release Candidate Programs Tester

git comes with Xcode and/or the Xcode command line tools, so there's that one.

Homebrew (http://brew.sh) can also install git, which may or may not be a different version number than the one installed by the Xcode tools (homebrew usually updates faster).

As far as GUI git clients, the ones I know of are these:

GitHub for Mac - https://mac.github.com
SourceTree - http://www.sourcetreeapp.com
Tower - http://www.git-tower.com

emily
Valued Contributor III
Valued Contributor III

Our folks all use the GitHub Mac client.

andyinindy
Contributor II

FYI, Apple has patched the Git vulnerability in Xcode 6.2 beta 3:

http://support.apple.com/en-us/HT204147

jesseshipley
Contributor

I just disabled the preinstalled Apple git with the below script

sudo mv /usr/bin/git /usr/bin/git-apple-insecure

Then I've been getting people on Brew so they can stay current faster. Also did an Extension Attribute for git version to track who is using the old through Brew.

davidacland
Honored Contributor II
Honored Contributor II

We were on the Apple version but have switched to using the Brew version of git.

elliotjordan
Contributor III

In case it's useful, here's an extension attribute that will report the version(s) of Git installed.
https://gist.github.com/homebysix/501a3bc5144b77aecc0c

This can be paired with smart groups to determine which computers are vulnerable;

  • Git version LIKE "git version 1.8" AND Git version NOT LIKE "git version 1.8.5.6"
  • Git version LIKE "git version 1.9" AND Git version NOT LIKE "git version 1.9.5"
  • Git version LIKE "git version 2.0" AND Git version NOT LIKE "git version 2.0.5"
  • Git version LIKE "git version 2.1" AND Git version NOT LIKE "git version 2.1.4"
  • Git version LIKE "git version 2.2" AND Git version NOT LIKE "git version 2.2.1"

These smart groups aren't evergreen; they'll need to be updated as new (non-vulnerable) git versions appear. But that should be a good start for immediate reporting.

MARL
New Contributor

The only issue with running a --version, at least with Apple Git at /usr/bin/git is that if Xcode developer tools are not installed the user receives a prompt to go and get them. So in light of this we need to add additional checks, at least for the apple version of git before do the --version.

andyinindy
Contributor II

@clarkml:

You can exclude Xcode's Git install from the EA by piping the path listing through sed:

CURRENT_PATH=$(/usr/bin/su "$CURRENT_USER" -c "/usr/bin/env | /usr/bin/grep PATH= | /usr/bin/colrm 1 5 | sed 's//usr/bin://g'")

We will use this method to find any Git installations outside of Xcode. Thanks, @elliotjordan!

--Andy

elliotjordan
Contributor III

That's a great workaround, @andyinindy. I'll incorporate that into my script. Thanks!

ogonzalez
New Contributor

@jesseshipley do you mind sharing how you were able to get the version to show up for the attribute extension. I created the attribute extension and it shows up as a field now in out inventory display but the field is always blank. Any help would be great thanks

jesseshipley
Contributor

@ogonzalez I don't have access to the same jamf instance anymore so I don't know exactly what I wrote. But it was probably just

echo "<result>$(/usr/bin/git --version | awk '{print $3}')</result>"

Garci4
New Contributor III

bump

Garci4
New Contributor III

I got @elliotjordan's EA working by replacing /usr/bin/printf "<result>$RESULT</result> " with @jesseshipley's suggestion. Just having a mental block... Need to accomplish 2 things, smart group with devices with any version of git installed and the smart group(s)? for those not on the latest version. Wondering what the smart groups should look like for the more recent Git versions, something like this?

Git version LIKE "git version 2.21" AND Git version NOT LIKE "git version 2.21.1"
Git version LIKE "git version 2.22" AND Git version NOT LIKE "git version 2.22.2"
Git version LIKE "git version 2.23" AND Git version NOT LIKE "git version 2.23.1"
Git version LIKE "git version 2.24" AND Git version NOT LIKE "git version 2.24.1"
Git version LIKE "git version 2.25" AND Git version NOT LIKE "git version 2.25.0"

Again sorry, having a Friday mental block and would appreciate insight from others. Anyone automate this to not have update the smart group with new versions?

Garci4
New Contributor III

Was overthinking a bit...for a smart group of devices with Git installed I just did Git version IS NOT and left the value blank. Then looked into this <https://www.jamf.com/jamf-nation/feature-requests/8442/add-recon-as-an-option-in-jss> for running recon on all devices to get immediate reporting on the EA. Now just looking into the smart groups to identify old versions. This was a useful representation of the versions: 4751405de84f45a8b132a0020d0a43cb

jonlju
Contributor

We are also looking into an extension attribute now as there's a new vulnerability. However, using the Extension Attribute above it seems to pick up the Git-version installed by Apple (as the latest version collected is 2.24.3. Does anyone have an extension attribute to show the version of Git installed that comes through brew? Then we will look into disabling the built-in Apple version.

davidjess
New Contributor III

We're doing the same @jonlju

I think we're just going to force everyone with a custom version of git onto 2.30.2 and add the symlink work around to all machines with the basic apple git. I've hacked the EA above to suit my needs to make a brew only EA. Compare the version to a hardcoded one and give an output of 'Safe' 'Unsafe' or 'Not Installed'

Safe = Do nothing
Unsafe = run git upgrade script
Not Installed = run symlinks workaround

#!/bin/sh

###
# Checks to see if git has been installed via homebrew and returns 'Not Installed' if not. If so, it will return 'Safe' or 'Unsafe' with the version number comparing against a hardcoded approved version which you set in this EA
###

CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
CURRENT_PATH=$(/usr/bin/su "$CURRENT_USER" -c "/usr/bin/env | /usr/bin/grep PATH= | /usr/bin/colrm 1 5 | sed 's//usr/bin://g' | sed 's//Library/Apple/usr/bin//g'" )
RESULT=""
APPROVEDVERSION=2.30.2

old=$IFS
IFS=:

for p in $CURRENT_PATH; do
    GIT_VERSION="$($p/git --version 2> /dev/null)"
    if [[ $? == 0 ]]; then
        RESULT+="$p $GIT_VERSION"
        VERSION=$(echo "$RESULT" | awk '{ print $4}')
        #VERSION=2.40.1
    fi
done

IFS=$old

INSTVERSION=$(echo "$VERSION" | sed 's|[.]||g' | sed -E 's/(.{4}).*/1/')
APPVERSION=$(echo "$APPROVEDVERSION" | sed 's|[.]||g' | sed -E 's/(.{4}).*/1/')

if [[ $VERSION = "" ]]; then
    echo "<result>Not Installed</result>" 
else
    if [[ $INSTVERSION -ge $APPVERSION ]]; then
            echo "<result>Safe - $VERSION</result>"
    else
            echo "<result>Unsafe - $VERSION</result>"
    fi
fi

exit 0

Do you know if users will get 'please install development' tools message if their computer does not have Xcode CLT installed?

ooshnoo
Valued Contributor

@davidjess I was thrown into this mess of patching the latest vulnerability with v.2.30.0.2. Can you share use for the "git upgrade script"

jonlju
Contributor

@davidjess Thanks for sharing! I've updated our EA now with yours as well to check this. We're almost at the end of the week now so I doubt a lot will be done but I'll get back on this on monday to see how we're standing and what actions to take from there.

The symlink workaround you're talking about, is it running this (or similar) targeting the Apple version of Git?

"git config --global core.symlinks false"

davidjess
New Contributor III

@jonlju Yeah, that's what I was thinking, but now I think about it, you may run the risk of users getting a 'please install development' tools message if you ran it on machines without Xcode CLT installed. So might be worth testing.

@ooshnoo here you go, another hacked up one with some lines on the end.

#!/bin/bash

# Script to install Homebrew on a Mac.
# Author: richard at richard - purves dot com
# Version: 1.0 - 21st May 2017

# Heavily hacked by Tony Williams (honestpuck@gmail.com)
# Latest version at https://github.com/Honestpuck/homebrew.sh
# v2.0 - 19th Sept 2019
# v2.0.1 Fixed global cache error
# v2.0.2 Fixed brew location error
# v2.0.3 Added more directories to handle

# v3.0 Catalina version 2020-02-17
# v3.1 | 2020-03-24 | Fix permissions for /private/tmp

# Set up variables and functions here
consoleuser="$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')"

# are we in the right group
check_grp=$(groups ${consoleuser} | grep -c '_developer')
if [[ $check_grp != 1 ]]; then
    /usr/sbin/dseditgroup -o edit -a "${consoleuser}" -t user _developer
fi

# Logging stuff starts here
LOGFOLDER="/private/var/log/"
LOG="${LOGFOLDER}Homebrew.log"

if [ ! -d "$LOGFOLDER" ]; then
    mkdir $LOGFOLDER
fi

function logme()
{
# Check to see if function has been called correctly
    if [ -z "$1" ] ; then
        echo "$(date) - logme function call error: no text passed to function! Please recheck code!"
        echo "$(date) - logme function call error: no text passed to function! Please recheck code!" >> $LOG
        exit 1
    fi

# Log the passed details
    echo -e "$(date) - $1" >> $LOG
    echo -e "$(date) - $1"
}

# Check and start logging
logme "Homebrew Installation"

# Have the xcode command line tools been installed?
logme "Checking for Xcode Command Line Tools installation"
check=$( pkgutil --pkgs | grep -c "CLTools_Executables" )

if [[ "$check" != 1 ]]; then
    logme "Installing Xcode Command Tools"
    # This temporary file prompts the 'softwareupdate' utility to list the Command Line Tools
    touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
    clt=$(softwareupdate -l | grep -B 1 -E "Command Line (Developer|Tools)" | awk -F"*" '/^ +\*/ {print $2}' | sed 's/^ *//' | tail -n1)
    # the above don't work in Catalina so ...
    if [[ -z $clt ]]; then
        clt=$(softwareupdate -l | grep  "Label: Command" | tail -1 | sed 's#* Label: (.*)#1#')
    fi
    softwareupdate -i "$clt"
    rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
    /usr/bin/xcode-select --switch /Library/Developer/CommandLineTools
fi

# Is homebrew already installed?
if [[ ! -e /usr/local/bin/brew ]]; then
    # Install Homebrew. This doesn't like being run as root so we must do this manually.
    logme "Installing Homebrew"

    mkdir -p /usr/local/Homebrew
    # Curl down the latest tarball and install to /usr/local
    curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C /usr/local/Homebrew

    # Manually make all the appropriate directories and set permissions
    mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/bin /usr/local/etc
    mkdir -p /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin
    mkdir -p /usr/local/share/zsh/site-functions /usr/local/var
    mkdir -p /usr/local/share/doc /usr/local/man/man1 /usr/local/share/man/man1
    chown -R "${consoleuser}":_developer /usr/local/*
    chmod -R g+rwx /usr/local/*
    chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions

    # Create a system wide cache folder  
    mkdir -p /Library/Caches/Homebrew
    chmod g+rwx /Library/Caches/Homebrew
    chown "${consoleuser}:_developer" /Library/Caches/Homebrew

    # put brew where we can find it
    ln -s /usr/local/Homebrew/bin/brew /usr/local/bin/brew

    # Install the MD5 checker or the recipes will fail
    su -l "$consoleuser" -c "/usr/local/bin/brew install md5sha1sum"
    echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' | 
    tee -a /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc
    chown ${consoleuser} /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc

    # clean some directory stuff for Catalina
    chown -R root:wheel /private/tmp
    chmod 777 /private/tmp
    chmod +t /private/tmp
fi

# Make sure everything is up to date
logme "Updating Homebrew"
su -l "$consoleuser" -c "/usr/local/bin/brew update" 2>&1 | tee -a ${LOG}

# updating git
logme "Updating Git"
su -l "$consoleuser" -c "/usr/local/bin/brew upgrade git"

#forcing git version
logme "Forcing git version"
su -l "$consoleuser" -c "/usr/local/bin/brew link --force git"

# logme user that all is completed
logme "Installation complete"

exit 0

ooshnoo
Valued Contributor

@davidjess thanks for the script. Unfortunately it looks like it's not working and leaves the install of Git untouched, as the EA we used, which is listed above, still shows the version as being "Unsafe - 2.25.0"

EDIT... never mind. Fixed it!!! On line 113 I changed "brew install git" to "brew upgrade git"

davidjess
New Contributor III

Sorry, meant to come back along and post that change!

davidjess
New Contributor III

Noticed a small amount of machines not being able to update and complaining of a shallow cask - added a couple of lines to fix.

#!/bin/zsh

#################################################################################################   
#
# Created by: David Jess
# Date: 15 Mar 2021
#

# Requirements:
# macOS 10.14.0 or later
#
# Description: This script asks brew to patch Git to the latest version
#
#  
#################################################################################################

#################################################################################################

## VARIABLES

consoleuser="$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')"

## FUNCTIONS

### Check group permissions ###

function CheckGroup ()
{
# are we in the right group
check_grp=$(groups ${consoleuser} | grep -c '_developer')
if [[ $check_grp != 1 ]]; then
    /usr/sbin/dseditgroup -o edit -a "${consoleuser}" -t user _developer
    echo "Group changed"
else
    echo "Group ok"
fi
}

### Check if homebrew is installed

function CheckBrew ()
{

# Is homebrew already installed?
if [[ ! -e /usr/local/bin/brew ]]; then
    # Install Homebrew. This doesn't like being run as root so we must do this manually.
    echo "Brew not installed"
    echo "Installing Homebrew"

    mkdir -p /usr/local/Homebrew
    # Curl down the latest tarball and install to /usr/local
    curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C /usr/local/Homebrew

    # Manually make all the appropriate directories and set permissions
    mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/bin /usr/local/etc
    mkdir -p /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin
    mkdir -p /usr/local/share/zsh/site-functions /usr/local/var
    mkdir -p /usr/local/share/doc /usr/local/man/man1 /usr/local/share/man/man1
    chown -R "${consoleuser}":_developer /usr/local/*
    chmod -R g+rwx /usr/local/*
    chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions

    # Create a system wide cache folder  
    mkdir -p /Library/Caches/Homebrew
    chmod g+rwx /Library/Caches/Homebrew
    chown "${consoleuser}:_developer" /Library/Caches/Homebrew

    # put brew where we can find it
    ln -s /usr/local/Homebrew/bin/brew /usr/local/bin/brew

    # Install the MD5 checker or the recipes will fail
    su -l "$consoleuser" -c "/usr/local/bin/brew install md5sha1sum"
    echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' | 
    tee -a /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc
    chown ${consoleuser} /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc

    # clean some directory stuff for Catalina
    chown -R root:wheel /private/tmp
    chmod 777 /private/tmp
    chmod +t /private/tmp
else
    echo "Homebrew already installed"
fi

}

### Upgrade git and link

function UpgradeGit ()
{

# mitigation for shallow cask

su -l "$consoleuser" -c "/usr/local/bin/git -C "/usr/local/Homebrew/Library/Taps/homebrew/homebrew-core" fetch --unshallow"
su -l "$consoleuser" -c "/usr/local/bin/git -C "/usr/local/Homebrew/Library/Taps/homebrew/homebrew-cask" fetch --unshallow"

# updating git
echo "Upgrading Git"
su -l "$consoleuser" -c "/usr/local/bin/brew upgrade git"

#forcing git version
echo "Forcing git version"
su -l "$consoleuser" -c "/usr/local/bin/brew link --force git"

}

################################################################################################

## MAIN SCRIPT

echo "Script Starting..."
echo "Checking group...."
CheckGroup
echo "Check if brew is installed..."
CheckBrew
echo "Starting Git Upgrade of git..."
UpgradeGit
echo "Script completed"
exit 0

nelreda
New Contributor

@davidjess -- thanks for posting your scripts. I'm using your EA to find machines that are running homebrew and need updating and noticed it doesn't seem to be playing nice on Big Sur/M1 machines. Just says "Not Installed" when it definitely is. My knowledge of homebrew installation/pathing and scripting unfortunately is too basic to figure out the issue. Works great on other machines. Any ideas?

**Update: Homebrew installs in the /opt directory on Big Sur as opposed to /usr/local Catalina (and probably Mojave) machines. So there's that

jonlju
Contributor

Apparently if you install Git using the binary (available in Sourceforge) it can't be found with the extension attribute, so have to look into that as well as some developers are using that installation.

A_Eaton
New Contributor III

Hey all. New here and looking for a solution similar to what has been discussed above. There is a new Git vuln and I need to be able to report versioning in Jamf to get a handle. I tried creating an EA from above and nothing seems to be displaying. Any insight would be helpful, thanks!

https://github.blog/2022-10-18-git-security-vulnerabilities-announced/ 

BrianD
New Contributor

Anyone have more info on this for an EA for Git Versions? The script works for me put I have to remove "| sed 's/\/usr\/bin://g'" in the current path variable. However, removing this also prompts the pop-up for developer tools.

I'm also looking into this as we've had some issue with the previously working script on Silicon Macs, now that there's a new vulnerability.

bmack99
Contributor III

Throwing my hat into the ring here. We have a new git vulnerability on our Qualys scans and from what i'm seeing with the latest apple cli dev tools install it's installing a vulnerable version(2.37.1 of Apple Git). We blocked HomeBrew about a year or so ago due to other Security concerns, so all of the machines should be either Apple's devtool CLI install, or one of the other GUI git versions. Does anyone have an EA to detect these on intel and ARM chipset devices(mix of macOS 10.15.7, 11.x, 12.x and now thanks to no more majorOS deferrals and non admin users being able to upgrade to macOS 13, also macOS 13 devices :) )

rnoureddine
New Contributor III

I'm also looking to create an EA to lookup the git version of Apple git and brew. If anyone has a script for it, please share.

ImAMacGuy
Valued Contributor II

Same here...

Since Jamf runs as root and, thus, does not abide by a user's PATH, the default command will function and tell you that it's v. 2.24.3. The command is: git --version | awk '{ print $3 }'

For Homebrew, things have gotten weird. Since people can transfer from an Intel to an M1, some Homebrew apps can remain in the old folder structure even after running the proper Homebrew migration programs.

So, I decided to set up two separate, very simplified, Extension Attributes. Rather than attempting to pull the whole path and cut it up from there, which seemed to fail after all of my runs within a root terminal, it specifies the Homebrew installation folders directly and ignores everything else. This might not be okay for some who are required to search all folders for any possible git executable.

 

#!/bin/sh

# Extension attribute for a Homebrew installed git on ARM Macs
# Dave Segreto

# Default result is "Unknown"
RESULT="Unknown"

# Check if git exists
if [[ -e /opt/homebrew/bin/git ]]; then
  # If it exists, gather the version.
  GIT_VERSION=$(/opt/homebrew/bin/git --version | awk '{ print $3 }')
  # If GIT_VERSION is not empty, set it as the new RESULT
  if [[ -n "$GIT_VERSION" ]]; then
    RESULT=$GIT_VERSION
  fi
fi

echo "<result>$RESULT</result>"

#END

 

The Intel version is the same, substituting in /usr/local/bin/git as the filename. So far, the ARM one is working. I don't see a reason the Intel one wouldn't, but cannot confirm it just yet as I uploaded them like 5 minutes ago.

I default the return value to "Unknown". Thus, you'll see that as a "yes this ran but found no answer", differentiating it from those that have not run yet.

Nice! I think with this modification it will work for both arm64 and Intel in the same extension attribute. 

#!/bin/sh

# Extension attribute for a Homebrew installed git on ARM Macs
# Dave Segreto

# Default result is "Unknown"
RESULT="Unknown"

# Get machine type
UNAME_MACHINE="$(uname -m)"

# Set the prefix based on the machine type
if [[ "$UNAME_MACHINE" == "arm64" ]]; then
    # M1/arm64 machines
    HOMEBREW_PREFIX="/opt/homebrew"
else
    # Intel machines
    HOMEBREW_PREFIX="/usr/local"
fi

# Check if git exists
if [[ -e $HOMEBREW_PREFIX/bin/git ]]; then
  # If it exists, gather the version.
  GIT_VERSION=$($HOMEBREW_PREFIX/bin/git --version | awk '{ print $3 }')
  # If GIT_VERSION is not empty, set it as the new RESULT
  if [[ -n "$GIT_VERSION" ]]; then
    RESULT=$GIT_VERSION
  fi
fi

echo "<result>$RESULT</result>"

#END


Using CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console) you could also run commands as the current user to find if Apple Git is installed (if it is, we'd want to make sure the Homebrew version gets installed as the active Git version). The problem is that running git --version on a Mac will trigger the installation of developer tools if it's not already installed, so it'd have to find a way to not trigger that.

dave_segreto
New Contributor II

Awesome. I decided to use separate EAs in case anyone transferred from an x86 to an M1 and, thus, has both git locations installed. I noticed this happen on my own machine.

I also found that using the CURRENT_USER trick failed on some machines. I suspect that this also affected machines that had Homebrew transferred. The new PATH wasn't added for the root user. So, while maybe the user would add it locally to their .zshrc or .bashrc file, Jamf would not register that change when it runs the command.

Thanks @dave_segreto this worked, I did have to modify the path for intel to use /usr/bin/git

Using /usr/local/bin/git returned Unknown result.

 

Oh, interesting. Any idea when Homebrew changed the default installation location? I wonder if it's worth adding a method for checking both locations for x86 machines.