CVE-2021-46101 Overview
CVE-2021-46101 is a command execution vulnerability affecting Git for Windows through version 2.34.1. When using git pull to update a local repository, the git.cmd file can be executed directly, potentially allowing attackers to compromise systems by manipulating the execution flow of Git commands on Windows platforms.
Critical Impact
This vulnerability enables unauthorized command execution through Git for Windows, potentially allowing attackers to execute arbitrary commands when users perform routine Git operations like git pull.
Affected Products
- Git for Windows through version 2.34.1
Discovery Timeline
- 2022-01-31 - CVE CVE-2021-46101 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-46101
Vulnerability Analysis
This vulnerability exists in Git for Windows' command execution mechanism. The core issue stems from how Git for Windows handles the resolution and execution of git.cmd during repository operations. When a user executes git pull to synchronize their local repository with a remote source, the system may inadvertently execute a malicious git.cmd file if one is present in a location that takes precedence in the Windows PATH or current working directory.
Windows systems resolve commands by searching through directories in a specific order, and this vulnerability exploits that behavior. An attacker who can place a malicious git.cmd file in a strategic location can hijack the execution flow when a victim runs legitimate Git operations.
Root Cause
The root cause of this vulnerability lies in improper handling of command resolution on Windows systems. Git for Windows relies on batch files (git.cmd) for command execution, and the application does not adequately verify or restrict which git.cmd file gets executed. This allows for command hijacking when a malicious file is placed in a directory that Windows searches before the legitimate Git installation directory.
Attack Vector
The attack vector for CVE-2021-46101 is network-based, requiring no privileges and no user interaction beyond normal Git operations. An attacker can exploit this vulnerability through the following scenario:
- An attacker creates a malicious git.cmd file containing arbitrary commands
- The attacker places this file in a repository or directory that will be accessed by the victim
- When the victim performs a git pull operation, Windows executes the malicious git.cmd instead of the legitimate Git command
- The attacker's arbitrary commands execute with the victim's privileges
This attack could be delivered through a compromised or malicious Git repository, where the malicious git.cmd file is included in the repository contents. A proof-of-concept demonstrating this attack vector is available in the GitHub PoC Repository published by security researcher 0xADY.
Detection Methods for CVE-2021-46101
Indicators of Compromise
- Presence of unexpected git.cmd files in repository directories or user-accessible paths
- Suspicious git.cmd files with modification timestamps that don't match the Git for Windows installation
- Unusual process spawning from Git operations, particularly command shells or PowerShell instances
- Unexpected network connections initiated during routine git pull operations
Detection Strategies
- Monitor file system for creation or modification of git.cmd files outside of the official Git for Windows installation directory
- Implement application allowlisting to restrict which executables and batch files can be run
- Use endpoint detection to identify anomalous command execution patterns following Git operations
- Deploy SentinelOne's behavioral AI to detect suspicious command chains originating from Git processes
Monitoring Recommendations
- Enable Windows file auditing for directories commonly used for Git repositories
- Configure SentinelOne agents to alert on unusual batch file execution in user directories
- Implement logging for all Git operations and correlate with process creation events
- Monitor for unexpected child processes spawned by Git-related executables
How to Mitigate CVE-2021-46101
Immediate Actions Required
- Update Git for Windows to the latest available version beyond 2.34.1
- Audit existing repositories for unexpected git.cmd files
- Configure Windows to prioritize the official Git installation directory in PATH resolution
- Implement application control policies to prevent execution of batch files from untrusted locations
Patch Information
Users should update Git for Windows to a version newer than 2.34.1. The latest version can be obtained from the official Git for Windows website or through package managers like Chocolatey or Winget. After updating, verify the installation by running git --version to confirm the updated version is in use.
Workarounds
- Modify the Windows PATH environment variable to ensure the official Git installation directory appears first
- Remove execute permissions from git.cmd files found in non-standard locations
- Use the full path to Git executables when running Git commands in scripts
- Consider using Git Bash instead of cmd.exe for Git operations, as this reduces exposure to Windows command resolution vulnerabilities
# Configuration example
# Verify Git for Windows version
git --version
# Check for suspicious git.cmd files in common locations
dir /s /b C:\Users\%USERNAME%\git.cmd 2>nul
dir /s /b %APPDATA%\git.cmd 2>nul
# Ensure correct Git path priority in system PATH
echo %PATH% | findstr /i "Git"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
