Article Details
Scrape Timestamp (UTC): 2024-01-17 07:42:32.533
Source: https://thehackernews.com/2024/01/github-rotates-keys-after-high-severity.html
Original Article Text
Click to Toggle View
GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials. GitHub has revealed that it has rotated some keys in response to a security vulnerability that could be potentially exploited to gain access to credentials within a production container. The Microsoft-owned subsidiary said it was made aware of the problem on December 26, 2023, and that it addressed the issue the same day, in addition to rotating all potentially exposed credentials out of an abundance of caution. The rotated keys include the GitHub commit signing key as well as GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, necessitating users who rely on these keys to import the new ones. There is no evidence that the high-severity vulnerability tracked as CVE-2024-0200 (CVSS score: 7.2), has been previously found and exploited in the wild. "This vulnerability is also present on GitHub Enterprise Server (GHES)," GitHub's Jacob DePriest said. "However, exploitation requires an authenticated user with an organization owner role to be logged into an account on the GHES instance, which is a significant set of mitigating circumstances to potential exploitation." In a separate advisory, GitHub characterized the vulnerability as a case of "unsafe reflection" GHES that could lead to reflection injection and remote code execution. It has been patched in GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. Also addressed by GitHub is another high-severity bug tracked as CVE-2024-0507 (CVSS score: 6.5), which could permit an attacker with access to a Management Console user account with the editor role to escalate privileges via command injection. The development comes nearly a year after the company took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. Report: Unveiling the Threat of Malicious Browser Extensions Download the Report to learn the Risks of Malicious Extensions and How to Mitigate Them. Firewalls vs. Zero Trust: Minimize Your Attack Surface Learn latest trends in the attack landscape, attacker strategies, and how to implement Zero Trust Security.
Daily Brief Summary
GitHub identified and swiftly addressed a high-severity security vulnerability on December 26, 2023, which could have allowed unauthorized access to sensitive credentials.
Following the discovery of the vulnerability, tracked as CVE-2024-0200, GitHub proactively rotated potentially compromised keys, including commit signing and customer encryption keys.
The issue affected GitHub Enterprise Server (GHES) and required an authenticated user with an organization owner role for potential exploitation.
Patches were released for the "unsafe reflection" vulnerability in multiple GHES versions to prevent reflection injection and remote code execution.
Another high-severity issue tracked as CVE-2024-0507 was also addressed, involving privilege escalation through command injection in the Management Console.
GitHub's recent history of preemptive security measures includes the replacement of an RSA SSH host key following inadvertent exposure in a public repository.
The incident underlines the importance of rapid and decisive action in detection and mitigation of security threats, demonstrating GitHub's commitment to maintaining platform security.