GitHub, the widely used collaborative platform for coding and source code repositories, recently responded to a security vulnerability identified on December 26, 2023. The company took swift action, rotating keys, including the GitHub commit signing key, GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, as a precautionary measure. Users relying on these keys have been advised to import the new ones.

The security vulnerability, designated as CVE-2024-0200 with a high-severity score of 7.2 (CVSS), has not been exploited in the wild. GitHub Enterprise Server (GHES) is affected, but exploiting the vulnerability requires an authenticated user with an organization owner role logged into an account on the GHES instance, limiting the potential for exploitation, The Hacker News reported.

GitHub characterized the vulnerability in GHES as an instance of "unsafe reflection," posing risks of reflection injection and remote code execution. A fix for this issue has been implemented in GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. Additionally, GitHub addressed another high-severity bug, CVE-2024-0507 (CVSS score: 6.5), enabling an attacker with access to a Management Console user account with the editor role to escalate privileges through command injection.

This responsive action follows GitHub's precautionary replacement of its RSA SSH host key, responsible for securing Git operations, nearly a year ago after a brief exposure in a public repository. These proactive measures underscore GitHub's commitment to managing security concerns promptly and ensuring the integrity of its platform.

Lingering Challenge

GitHub has encountered multiple key rotations in the past year due to exposed or stolen secrets, per BleepingComputer. Notably, in March, the platform rotated its GitHub.com private SSH key after a brief exposure in a public repository, impacting Git operations over SSH using RSA. This occurred despite the implementation of secret scanning for public repositories, designed to identify exposed keys and confidential data.

Read Also: Microsoft Launches Copilot Pro Plan for Enhanced Office 365 Experience

In a separate incident in December 2022, GitHub had to revoke code-signing certificates for its desktop and Atom applications. Unknown attackers stole these certificates after breaching the company's development and release planning repositories. These incidents highlight GitHub's vigilance in responding to security challenges and proactively managing potential vulnerabilities.

Hackers Exploiting GitHub

Recorded Future, a cybersecurity research firm, has identified a concerning trend of Advanced Persistent Threat (APT) hackers exploiting GitHub to deliver malware payloads. Cyber Security News reported that GitHub, with a user base exceeding 94 million, has become a prime target for threat actors leveraging its API to avoid detection and gain advantages in network traffic. Exploitation occurs across four main categories: payload delivery, data and device reconnaissance (DDR), full command and control (C2), and filtration.

Payload delivery, primarily driven by cyber criminals and state-sponsored groups such as BUHTRAP and APT37, remains an ongoing concern. Netskope's 2022 data notes GitHub's 7.6% share in cloud-based malware downloads. Tactics involve repository poisoning, creating fake repositories, and employing infection-focused methods.

DDR activities on GitHub include users sharing URLs, domains, or IP addresses, often within encrypted files. The report highlights GitHub's use of full C2, incorporating an "abstraction layer." While less common due to functional constraints and exposure concerns, GitHub serves as a proxy for exfiltration, although less frequently than other schemes. These findings emphasize the escalating challenges and risks associated with cybersecurity on widely-used collaborative coding platforms such as GitHub.

Related Article: Cybersecurity in Today's Digital Age