GitHub rotated keys probably uncovered by a vulnerability patched in December that would let attackers entry credentials inside manufacturing containers by way of setting variables.
This unsafe reflection vulnerability (tracked as CVE-2024-0200) can permit attackers to achieve distant code execution on unpatched servers.
It was additionally patched on Tuesday in GitHub Enterprise Server (GHES) variations 3.8.13, 3.9.8, 3.10.5, and three.11.3, with the corporate urging all clients to put in the safety replace as quickly as doable.
Whereas permitting menace actors to achieve entry to setting variables of a manufacturing container, together with credentials, profitable exploitation requires authentication with an group proprietor position (with admin entry to the group).
“On December 26, 2023, GitHub acquired a report by means of our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed entry to credentials inside a manufacturing container. We fastened this vulnerability on GitHub.com the identical day and commenced rotating all probably uncovered credential,” mentioned Github VP and Deputy Chief Safety Officer Jacob DePriest.
“After working a full investigation, we assess with excessive confidence, based mostly on the distinctiveness of this concern and evaluation of our telemetry and logging, that this vulnerability has not been beforehand discovered and exploited.”
Whereas the group proprietor position requirement is a major mitigating issue and the vulnerability’s influence is proscribed to the researcher who discovered and reported the problem by means of GitHub’s Bug Bounty Program, DePriest says the credentials have been nonetheless rotated in response to safety procedures and “out of an abundance of warning.”
Though many of the keys rotated by GitHub in December require no buyer motion, these utilizing GitHub’s commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot buyer encryption keys must import the brand new public keys.
”We strongly advocate usually pulling the general public keys from the API to make sure you’re utilizing probably the most present knowledge from GitHub. This may even permit for seamless adoption of latest keys sooner or later,” DePriest mentioned.
GitHub additionally fastened a second high-severity Enterprise Server command injection vulnerability (CVE-2024-0507) that may permit attackers utilizing a Administration Console consumer account with an editor position to escalate privileges.
This is not the primary time the corporate has needed to rotate or revoke uncovered or stolen secrets and techniques up to now 12 months.
As an example, it additionally rotated its GitHub.com non-public SSH key final March after it was unintentionally and “briefly” uncovered by way of a public GitHub repository, impacting Git operations over SSH utilizing RSA.
The incident occurred weeks after the corporate started rolling out secrets and techniques scanning for all public repositories, which ought to’ve caught the uncovered key because it helps API keys, account passwords, authentication tokens, and different confidential knowledge alerts.
Months earlier, GitHub additionally needed to revoke code-signing certificates for its Desktop and Atom functions after unknown attackers stole them after breaching the corporate’s improvement and launch planning repositories in December 2022.
