GitHub rotated keys doubtlessly uncovered by a vulnerability patched in December that might let attackers entry credentials inside manufacturing containers by way of atmosphere variables.
This unsafe reflection vulnerability (tracked as CVE-2024-0200) can enable attackers to realize distant code execution on unpatched servers.
It was additionally patched on Tuesday in GitHub Enterprise Server (GHES) variations 3.8.13, 3.9.8, 3.10.5, and three.11.3, with the corporate urging all prospects to put in the security replace as quickly as potential.
Whereas permitting risk actors to realize entry to atmosphere variables of a manufacturing container, together with credentials, profitable exploitation requires authentication with a corporation proprietor function (with admin entry to the group).
“On December 26, 2023, GitHub obtained a report by our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed entry to credentials inside a manufacturing container. We mounted this vulnerability on GitHub.com the identical day and started rotating all doubtlessly uncovered credential,” stated Github VP and Deputy Chief Safety Officer Jacob DePriest.
“After working a full investigation, we assess with excessive confidence, primarily based on the distinctiveness of this difficulty and evaluation of our telemetry and logging, that this vulnerability has not been beforehand discovered and exploited.”
Whereas the group proprietor function requirement is a major mitigating issue and the vulnerability’s affect is proscribed to the researcher who discovered and reported the difficulty by GitHub’s Bug Bounty Program, DePriest says the credentials have been nonetheless rotated in line with security procedures and “out of an abundance of warning.”
Though many of the keys rotated by GitHub in December require no buyer motion, these utilizing GitHub’s commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot buyer encryption keys should import the brand new public keys.
”We strongly suggest frequently pulling the general public keys from the API to make sure you’re utilizing probably the most present information from GitHub. This may also enable for seamless adoption of latest keys sooner or later,” DePriest stated.
GitHub additionally mounted a second high-severity Enterprise Server command injection vulnerability (CVE-2024-0507) that might enable attackers utilizing a Administration Console person account with an editor function to escalate privileges.
This is not the primary time the corporate has needed to rotate or revoke uncovered or stolen secrets and techniques previously 12 months.
As an example, it additionally rotated its GitHub.com non-public SSH key final March after it was by chance and “briefly” uncovered by way of a public GitHub repository, impacting Git operations over SSH utilizing RSA.
The incident occurred weeks after the corporate started rolling out secrets and techniques scanning for all public repositories, which ought to’ve caught the uncovered key because it helps API keys, account passwords, authentication tokens, and different confidential information alerts.
Months earlier, GitHub additionally needed to revoke code-signing certificates for its Desktop and Atom functions after unknown attackers stole them after breaching the corporate’s growth and launch planning repositories in December 2022.
