A security vulnerability that was discovered on December 26, 2023 was just addressed by GitHub, which is a widely used collaboration platform for coding and source code repositories. As a preventative step, the firm moved quickly to take action and rotate keys. These keys included the GitHub commit signing key, GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys. People who are dependent on these keys have been given the recommendation to import the new ones.
The security flaw, which has been given the designation CVE-2024-0200 and has been given a high severity score of 7.2 (CVSS), has not been exploited in the wider environment. GitHub Enterprise Server (GHES) is vulnerable; however, in order to exploit the vulnerability, an authenticated user who is signed into an account on the GHES instance and has an organization owner role is required. This restricts the possibilities for exploiting the vulnerability, as reported by The Hacker News.
The vulnerability in GHES was described by GitHub as a case of “unsafe reflection,” which implies that there is a possibility of reflection injection and remote code execution having occurred. GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3 have all been updated to include a workaround for this problem. GitHub also fixed another high-severity flaw known as CVE-2024-0507, which had a CVSS score of 6.5. This bug made it possible for an attacker who had access to a Management Console user account that had the editor role to escalate privileges by using command injection.
This immediate step comes after GitHub took the cautious measure of replacing its RSA SSH host key, which is responsible for safeguarding Git operations, almost a year ago. This was done in response to a brief exposure that occurred in a public repository. The implementation of these preventative measures demonstrates GitHub’s dedication to rapidly managing security risks and protecting the integrity of its platform.
Lingering Challenge: Security Vulnerability
According to BleepingComputer, GitHub has had many key rotations over the course of the past year as a result of secrets that have been leaked or stolen. Notably, in March, the platform cycled its private SSH key for GitHub.com after it had been exposed for a short period of time in a public repository. This had an effect on Git operations that were performed over SSH using RSA. This took place in spite of the adoption of covert scanning for public repositories, which was intended to discover exposed keys and confidential data.
GitHub was forced to withdraw the code-signing certificates for its desktop and Atom applications in December 2022 due to a different problem that occurred during that month. The development and release planning repositories of the organization were breached by unknown intruders, who then took these certificates. These occurrences demonstrate the attentiveness that GitHub demonstrates in its response to security problems and its proactive management of potential vulnerabilities.
Read More: AI Unveils Game-Changing Battery Material to Reduce Lithium Use
Hackers Exploiting GitHub
An alarming pattern of Advanced Persistent Threat (APT) hackers leveraging GitHub to deploy malware payloads has been discovered by Recorded Future, a company that specializes in cybersecurity research. According to Cyber Security News, GitHub, which has a user base that exceeds 94 million, has become a prominent target for threat actors who are utilizing its application programming interface (API) in order to evade detection and gain benefits in network traffic. Payload delivery, data and device reconnaissance (DDR), full command and control (C2), and filtration are the four primary areas that are taken into consideration when exploiting vulnerabilities.
There is still a continuing issue with payload distribution, which is mostly pushed by cybercriminals and state-sponsored groups like BUHTRAP and APT37. GitHub has a 7.6% share of cloud-based malware downloads, according to the data provided by Netskope in 2022. Repository poisoning, the creation of phony repositories, and the utilization of infection-focused methodologies are all examples of tactics.
DDR actions on GitHub involve users exchanging URLs, domains, or IP addresses, frequently within encrypted files. These behaviors are performed by users. The study showcases GitHub’s utilization of full C2, which includes the incorporation of a “abstraction layer.” GitHub is used as a proxy for exfiltration, however it is used less frequently than other techniques. This is because of the functional limits and exposure issues that are associated with it. The significance of these findings lies in the fact that they highlight the growing difficulties and dangers that are related with cybersecurity on widely utilized collaborative coding platforms like GitHub.
Read More: The AI-powered Bing Chat Service From Microsoft Is Now Called Copilot