GitHub has confirmed the rotation of specific cryptographic keys following the identification of a significant security vulnerability. This issue poses the risk of unauthorized access to sensitive credentials within production containers. The subsidiary of Microsoft announced that it first learned of the problem on December 26, 2023, and took immediate action to rectify it on the same day, emphasizing a commitment to safety by rotating all possibly compromised credentials.
The keys that were rotated include those used for GitHub commit signing, as well as keys related to GitHub Actions, GitHub Codespaces, and Dependabot’s customer encryption. Users relying on these services will need to import new keys to maintain secure operations.
Currently classified as CVE-2024-0200 with a CVSS score of 7.2, this high-severity vulnerability has not been reported as being exploited in the wild. GitHub’s Jacob DePriest confirmed that the vulnerability also affects GitHub Enterprise Server (GHES), but exploitation would necessitate that an attacker has logged into an account with an organization owner role, a condition that significantly reduces the likelihood of successful exploitation.
Further elaborating on the vulnerability, GitHub referred to it as an instance of “unsafe reflection” within GHES, which could facilitate reflection injection and remote code execution. The issue has been patched in the most recent updates of GHES, including versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
Additionally, GitHub has addressed a separate high-severity issue tracked as CVE-2024-0507, with a CVSS score of 6.5. This vulnerability could enable an attacker with access to a Management Console user account in the editor role to execute privilege escalation through command injection.
These developments come almost a year after GitHub replaced its RSA SSH host key used for securing Git operations following its exposure in a public repository.
This incident underscores the necessity for enhanced vigilance among organizations leveraging GitHub’s services. The rotation of keys and remediation of vulnerabilities, while crucial steps, also highlight the need for stringent access controls and user authentication mechanisms to mitigate potential exploitation risks.
Business owners should remain aware of such vulnerabilities and consider regular security assessments and updates to their security protocols. The MITRE ATT&CK framework identifies tactics such as initial access, privilege escalation, and persistence as critical areas to focus on in fortifying defenses against potential threats. In light of this incident, companies are encouraged to assess their configurations and ensure they are aligned with best practices for security to minimize vulnerability to similar attacks.
