git2 Rust package suppresses ssh host key checking

2023-01-1212:00:00

Google

osv.dev

git2

rust package

ssh

host key

checking

malicious data

exposure

denial of service

EPSS

0.001

Percentile

38.5%

JSON

By default, when accessing an ssh repository
(ie via an ssh: git repository url)
the git2 Rust package does not do any host key checking.

Additionally,
the provided API is not sufficient for a an application
to do meaningful checking itself.

Impact

When connecting to an ssh repository,
and when an attacker can redirect the connection
(performing a malice-in-the-middle attack)
an affected application might:

Receive git objects and branches controlled by the attacker,
exposing the local system (and whatever happens next)
to malicious data.
In many circumstances,
this could readily lead to privilege escalation.
Erroneously send git objects to the attacker,
rather than to the intended recipient.
If the information is not supposed to be public,
this would constitute an information leak.
Also, since the data doesn’t arrive where intended,
it consitutes a denial of service.

Technical details

The git2 Rust package (henceforth, git2-rs)
unconditionally calls the underlying C libgit2 functions to set
an ssh certificate check callback.
The Rust package uses this to offer
the ability for the application to set a callback to a Rust function.

The C-level callback function provided by git2-rs 0.15.0 and earlier:

Always ignores the is_valid argument provided by libgit2,
which indicates whether libgit2 considers the host key valid
By default, performs no checks, and then
returns code 0,
indicating to libgit2 to override libgit2’s determination
and treat the host key as valid.
Provides only limited APIs to the application
for examining the supplied host key,
and doesn’t tell the application
whether libgit2’s checks succeeded,
so it is difficult for the application cannot work around the problem.