GitHub’s Security Alert: Key Rotation After Patching Critical Vulnerability
In a proactive response to a security vulnerability, GitHub has rotated keys potentially exposed by a flaw patched in December, preventing attackers from accessing credentials within production containers through environment variables.
The vulnerability, identified as CVE-2024-0200, posed a risk of remote code execution on unpatched servers. GitHub swiftly addressed this issue on GitHub.com, and on Tuesday, the patch was extended to GitHub Enterprise Server (GHES) versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. GitHub emphasizes the urgency for all customers to install this security update promptly.
While the vulnerability allowed threat actors to access environment variables, including credentials, successful exploitation required authentication with an organization owner role, providing admin access to the organization.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Jacob DePriest, GitHub’s VP and Deputy Chief Security Officer, shared insights: “After running a full investigation, we assess with high confidence, based on the uniqueness of this issue and analysis of our telemetry and logging, that this vulnerability has not been previously found and exploited.” Despite the mitigating factor of the organization owner role requirement, GitHub rotated the credentials according to security procedures and as a precautionary measure.
While most keys rotated in December require no customer action, users relying on GitHub’s commit signing key, GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys need to import the new public keys. DePriest strongly recommends regularly pulling public keys from the API for up-to-date information and seamless adoption of new keys in the future.
We received a bug bounty report of a vulnerability which, if exploited, allowed access to credentials within a production container. We have patched https://t.co/0iKPk2jtk4 and rotated all affected credentials, and patches for GHES are available today. https://t.co/5youY6yNTA
— GitHub Security (@GitHubSecurity) January 16, 2024
Additionally, GitHub addressed a second high-severity vulnerability (CVE-2024-0507) in GitHub Enterprise Server, preventing attackers using a Management Console user account with an editor role from escalating privileges.
This incident follows GitHub’s commitment to security, evident in past actions, such as rotating the GitHub.com private SSH key and revoking code-signing certificates for Desktop and Atom applications in response to security incidents over the past year. GitHub continues to prioritize the security and integrity of its platform, reinforcing its commitment to user protection and data security.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
