CVE-2020-27955 Overview
CVE-2020-27955 is a Remote Code Execution (RCE) vulnerability affecting Git Large File Storage (Git LFS) version 2.12.0. This vulnerability allows attackers to execute arbitrary code on systems running the vulnerable version of Git LFS through a maliciously crafted Git repository. The flaw stems from an Uncontrolled Search Path Element issue (CWE-427), where Git LFS improperly handles executable path resolution on Windows systems.
Critical Impact
This vulnerability enables unauthenticated remote attackers to achieve complete system compromise by executing arbitrary code with the privileges of the user running Git LFS operations. Given the widespread use of Git LFS in development environments, exploitation could lead to supply chain attacks and lateral movement within development infrastructure.
Affected Products
- Git Large File Storage version 2.12.0
- Git LFS installations on Windows platforms
- Development environments and CI/CD systems using vulnerable Git LFS versions
Discovery Timeline
- November 5, 2020 - CVE-2020-27955 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-27955
Vulnerability Analysis
This vulnerability is classified as CWE-427 (Uncontrolled Search Path Element), a type of DLL Hijacking or binary planting vulnerability. The root cause lies in how Git LFS resolves and executes external programs on Windows systems. When Git LFS attempts to invoke Git or other helper executables, it relies on the system's PATH environment variable and current working directory for resolution. An attacker can exploit this behavior by placing a malicious executable in a directory that is searched before the legitimate program location.
The attack is particularly dangerous because it can be triggered automatically when a user clones or interacts with a malicious Git repository. The repository can contain files with names matching executables that Git LFS expects to invoke (such as git.exe or git.bat), causing the malicious payload to execute instead of the legitimate program.
Root Cause
The vulnerability exists due to improper search path handling in Git LFS on Windows platforms. When Git LFS needs to execute Git commands or other helper programs, it does not properly sanitize or restrict the search path, allowing executables in the current working directory or other untrusted locations to take precedence over legitimate system binaries. This is a classic example of an uncontrolled search path element vulnerability where the application trusts user-controlled paths during executable resolution.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction beyond standard Git operations. An attacker creates a malicious Git repository containing a specially crafted executable file (such as git.exe, git.bat, or other helper programs) in a location that will be searched by Git LFS during operations like clone, pull, or checkout.
When a victim clones or operates on this malicious repository, Git LFS inadvertently executes the attacker-controlled binary instead of the legitimate Git executable. This results in arbitrary code execution with the privileges of the user performing the Git operation.
The exploitation flow involves:
- Attacker creates a repository with a malicious executable matching expected binary names
- Victim clones or interacts with the repository using Git LFS
- Git LFS searches for executables and finds the malicious binary first
- Malicious code executes with the victim's privileges
For detailed technical analysis, refer to the Legal Hackers CVE-2020-27955 Advisory and Packet Storm Security.
Detection Methods for CVE-2020-27955
Indicators of Compromise
- Presence of unexpected executable files (git.exe, git.bat, git.cmd) within Git repository directories
- Execution of Git-related processes from unusual directory paths outside standard system locations
- Anomalous process spawning patterns where Git LFS parent processes launch unexpected child executables
- Unusual network connections or system modifications following Git clone or pull operations
Detection Strategies
- Monitor for process execution events where Git LFS spawns executables from repository working directories rather than system paths
- Implement file integrity monitoring on development workstations to detect rogue executables in Git repositories
- Deploy endpoint detection rules to alert on git.exe or similar binaries executing from non-standard locations (not C:\Program Files\Git\ or similar)
- Configure SentinelOne behavioral AI to detect anomalous execution patterns associated with binary planting attacks
Monitoring Recommendations
- Enable verbose logging for Git and Git LFS operations to capture executable path resolution details
- Implement centralized logging for all developer workstations to correlate suspicious Git-related activities
- Configure alerts for new executable files appearing in cloned repository directories
- Regularly audit Git LFS versions across development infrastructure to ensure vulnerable versions are identified and tracked
How to Mitigate CVE-2020-27955
Immediate Actions Required
- Upgrade Git LFS to the latest version immediately; versions after 2.12.0 address this vulnerability
- Audit all development systems, CI/CD pipelines, and build servers for vulnerable Git LFS installations
- Review recently cloned repositories for suspicious executable files that could indicate attempted exploitation
- Temporarily restrict Git LFS usage on Windows systems until patches are applied
Patch Information
The Git LFS project has released patched versions to address this vulnerability. Organizations should upgrade to the latest stable release available from the GitHub Releases for Git LFS. The fix modifies how Git LFS resolves executable paths, ensuring that only trusted system directories are searched when invoking external programs.
Workarounds
- Configure Windows systems to exclude the current directory from the PATH search order using the NoDefaultCurrentDirectoryInExePath registry setting
- Implement application whitelisting to prevent execution of unauthorized binaries in repository directories
- Use Git LFS only on Linux or macOS systems where the PATH search behavior differs until patches can be applied
- Deploy SentinelOne endpoint protection to detect and block binary planting attack attempts in real-time
# Windows Registry Configuration to Mitigate Search Path Attacks
# Set NoDefaultCurrentDirectoryInExePath to prevent CWD from being searched
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
# Verify Git LFS version after upgrade
git lfs version
# Check for suspicious executables in repository directories
dir /s /b *.exe *.bat *.cmd | findstr /i "git"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
