Critical Security Flaws Found in Gogs Open-Source Git Service
Recent research has identified four unaddressed security vulnerabilities in Gogs, a popular self-hosted, open-source Git service. Among these, three are classified as critical, potentially allowing authenticated attackers to breach vulnerable installations, access, alter, or delete source code, and introduce malicious backdoors.
According to a report from SonarSource researchers Thomas Chauchefoin and Paul Gerste, the vulnerabilities are categorized as follows: CVE-2024-39930 concerns argument injection in the built-in SSH server, CVE-2024-39931 involves the deletion of internal files, and CVE-2024-39932 allows for argument injection during the preview of changes. Additionally, CVE-2024-39933 relates to argument injection when tagging new releases, with a lower severity score.
The implications of these vulnerabilities are significant. If successfully exploited, an attacker could execute arbitrary commands on the Gogs server by leveraging the first three flaws. The fourth vulnerability would grant them access to read sensitive files, including source code and configuration secrets. While it is noteworthy that all vulnerabilities require the attacker to be authenticated, the ease of creating an account on Gogs instances with enabled registration could facilitate unauthorized access. Notably, to exploit CVE-2024-39930, the SSH server must be active, and the attacker needs to possess a valid SSH private key.
Gogs instances on Windows and Docker environments are secure from these vulnerabilities. However, those deployed on Debian and Ubuntu systems remain at significant risk, primarily due to the presence of the "–split-string" option in the environment binary. Current data from Shodan indicates that approximately 7,300 Gogs instances are publicly accessible, with the majority located in China, followed by the United States, Germany, Russia, and Hong Kong.
The research team expressed concern over the lack of response from Gogs maintainers after initially reporting the issues in April 2023. In light of the absence of official fixes, users are advised to disable the built-in SSH server and restrict user registration to mitigate the risk of mass exploitation. As a precautionary measure, SonarSource has provided a patch that users can apply, although it has not undergone extensive testing.
These vulnerabilities expose Gogs users to a variety of risks, including unauthorized code modification and system compromise. As a broader context, the report resonates with recent findings from cybersecurity firm Aqua, which highlighted the persistence of sensitive information within source control systems, even after its removal. Dubbed "phantom secrets," this issue underlines the limitations of conventional scanning methods that may not detect previously committed secrets still accessible through cached views on SCM platforms.
In summary, the exploitation of these vulnerabilities poses a severe risk to organizations using Gogs, particularly those with exposed instances. Business owners should prioritize immediate risk assessment and remediation strategies to secure their environments against potential exploitation. This incident underscores the importance of agile response practices in cybersecurity, drawing attention to the evolving threat landscape.
