CVE-2023-22743 : Security Advisory and Response
Learn about CVE-2023-22743 affecting Git for Windows < 2.39.2. Vulnerability allows attackers to execute malicious code during software upgrades. Find mitigation steps here.
This CVE involves Git for Windows' installer being susceptible to DLL side-loading attacks. It has a high severity level with a base score of 7.3.
Understanding CVE-2023-22743
Git for Windows, the Windows port of the revision control system Git, prior to version 2.39.2, is vulnerable to DLL side-loading attacks. Attackers can exploit this vulnerability by placing a carefully crafted DLL in a specific subdirectory next to the Git for Windows installer. This can lead to the execution of malicious payloads during automated upgrades with elevation.
What is CVE-2023-22743?
CVE-2023-22743 is classified as CWE-426: Untrusted Search Path. It has a high impact on confidentiality, integrity, and availability, with high complexity and local attack vector.
The Impact of CVE-2023-22743
The impact of this vulnerability is significant as it allows attackers with local write access to plant malicious payloads that can be executed during Git for Windows installer upgrades. This can result in unauthorized access, data manipulation, and system compromise.
Technical Details of CVE-2023-22743
Git for Windows version < 2.39.2 is affected by this vulnerability. The patch for this issue is included in version 2.39.2.
Vulnerability Description
The vulnerability arises from the improper loading of DLL files, allowing for the execution of arbitrary code during software installation or upgrade processes.
Affected Systems and Versions
- Vendor: git-for-windows
- Product: git
- Affected Version: < 2.39.2
Exploitation Mechanism
By placing a crafted DLL in a specific subdirectory next to the Git for Windows installer, attackers can trigger the side-loading of DLL files and execute malicious payloads during software upgrades.
Mitigation and Prevention
It is crucial to take immediate steps to mitigate the risks associated with CVE-2023-22743.
Immediate Steps to Take
- Ensure to update Git for Windows to version 2.39.2 or higher to apply the security patch.
- Avoid leaving untrusted files in the Downloads folder or its sub-folders before running the Git for Windows installer.
Long-Term Security Practices
- Regularly update software to the latest patched versions to prevent known vulnerabilities.
- Implement strict file integrity checks and access controls to prevent unauthorized modifications.
Patching and Updates
- Git for Windows version 2.39.2 contains the necessary patch to address this vulnerability. Make sure to update to this version or later to safeguard against DLL side-loading attacks.