GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables.
This unsafe reflection vulnerability (tracked as CVE-2024-0200) can allow attackers to gain remote code execution on unpatched servers.
It was also patched on Tuesday in GitHub Enterprise Server (GHES) versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3, with the company urging all customers to install the security update as soon as possible.
While allowing threat actors to gain access to environment variables of a production container, including credentials, successful exploitation requires authentication with an organization owner role (with admin access to the organization).
“On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container. We fixed this vulnerability on GitHub.com the same day and began rotating all potentially exposed credential,” said Github VP and Deputy Chief Security Officer Jacob DePriest.
“After running a full investigation, we assess with high confidence, based on the uniqueness of this issue and analysis of our telemetry and logging, that this vulnerability has not been previously found and exploited.”
While the organization owner role requirement is a significant mitigating factor and the vulnerability’s impact is limited to the researcher who found and reported the issue through GitHub’s Bug Bounty Program, DePriest says the credentials were still rotated according to security procedures and “out of an abundance of caution.”
Although most of the keys rotated by GitHub in December require no customer action, those using GitHub’s commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys will have to import the new public keys.
”We strongly recommend regularly pulling the public keys from the API to ensure you’re using the most current data from GitHub. This will also allow for seamless adoption of new keys in the future,” DePriest said.
GitHub also fixed a second high-severity Enterprise Server command injection vulnerability (CVE-2024-0507) that would allow attackers using a Management Console user account with an editor role to escalate privileges.
This isn’t the first time the company has had to rotate or revoke exposed or stolen secrets in the past year.
For instance, it also rotated its GitHub.com private SSH key last March after it was accidentally and “briefly” exposed via a public GitHub repository, impacting Git operations over SSH using RSA.
The incident occurred weeks after the company began rolling out secrets scanning for all public repositories, which should’ve caught the exposed key since it supports API keys, account passwords, authentication tokens, and other confidential data alerts.
Months earlier, GitHub also had to revoke code-signing certificates for its Desktop and Atom applications after unknown attackers stole them after breaching the company’s development and release planning repositories in December 2022.