GitHub scrambles to rotate keys after credentials in production containers were potentially exposed

GitHub Inc. signage during the Singapore FinTech Festival in Singapore, on Thursday, Nov. 16, 2023
(Image credit: Getty Images)

GitHub has moved quickly to rotate a number of its keys after a high-severity vulnerability exposed credentials. 

The developer platform was notified about the vulnerability via its bug bounty program, which would allow attackers access to credentials within a production container.

The vulnerability, CVE-2024-0200, was classified in the National Vulnerability Database (NVD) as an unsafe reflection exploit that could allow hackers to leverage remote code execution (RCE) on compromised systems.

In a blog post, GitHub’s VP and deputy chief security officer Jacob DePriest said the company launched a full investigation into the issue, fixing the security flaw and rotating all potentially exposed credentials.

DePriest noted the vulnerability is also present on the GitHub Enterprise Server (GHES), patched as of 16 January 2024, but that to exploit this would require the attacker to have access to an authenticated user account with the organization owner role designation.

Nonetheless, DePriest advised all GHES customers to apply the 16 January patch as soon as possible.

He wrote GitHub is confident the vulnerability has not been exploited by malevolent actors, but their decision to rotate any potentially exposed credentials was simply an extra precaution.

“While we are confident the impact was isolated to the bug bounty researcher, our procedures call for rotation of credentials in any event where they are exposed to a third-party out of an abundance of caution,” he said. 

Users who verify their commits outside of Github, or those with commit signing enabled in GitHub Codespace who have not pushed their commits from their codespace to their GitHub repository, could all be affected.

As such, DePriest advises these users to import GitHub’s new public key, and recommends regularly pulling the public key to ensure they are using the most up-to-date version.

“A very powerful weapon” that could allow access to GitHub customer networks

The disclosure of this vulnerability drew comments from security experts on the damage threat actors would have been able to cause if they were to successfully exploit the weakness.

Kevin Bocek, VP ecosystems and community at cyber security company Venafi, said an exposure of this nature could have had much more serious impact given the privileges they would have access to.

“GitHub needs to take a closer look at how it manages its keys as an exposure of this kind - no matter how brief - could have serious ramifications given the high level of privilege these machine identities are afforded.”

RELATED RESOURCE

Whitepaper cover with title and logo over image of female worker wearing glasses with digital screens reflected in them and workstations in the background

(Image credit: Zscaler)

Get tips that will help you find the best advanced and file-based threat protection solution for you

DOWNLOAD NOW

Bocek explained why machine identities are particularly valuable to threat actors due to their prevalence and complexity.

“These critical machine identities are incredibly powerful and are used everywhere, but they’re also poorly understood and managed, making them a prime target for attackers.”

The fact this vulnerability doesn’t appear to have been exploited by hackers is fortunate, Bocek noted, given the level of access they would have enjoyed.

“[I]f an attacker had seized this opportunity, then it would have given them a very powerful weapon – potentially allowing them to spread across GitHub’s customer networks, eavesdropping on user’s connections, and accessing GitHub’s infrastructure too, while appearing completely trustworthy.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.