Headline
Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service
Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source, self-hosted Git service that could enable an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoors. The vulnerabilities, according to SonarSource researchers Thomas Chauchefoin and Paul Gerste, are listed below -
CVE-2024-39930 (CVSS
Vulnerability / Software Security
Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source, self-hosted Git service that could enable an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoors.
The vulnerabilities, according to SonarSource researchers Thomas Chauchefoin and Paul Gerste, are listed below -
- CVE-2024-39930 (CVSS score: 9.9) - Argument injection in the built-in SSH server
- CVE-2024-39931 (CVSS score: 9.9) - Deletion of internal files
- CVE-2024-39932 (CVSS score: 9.9) - Argument injection during changes preview
- CVE-2024-39933 (CVSS score: 7.7) - Argument injection when tagging new releases
Successful exploitation of the first three shortcomings could permit an attacker to execute arbitrary commands on the Gogs server, while the fourth flaw allows attackers to read arbitrary files such as source code, and configuration secrets.
In other words, by abusing the issues, a threat actor could read source code on the instance, modify any code, delete all code, target internal hosts reachable from the Gogs server, and impersonate other users and gain more privileges.
That said, all four vulnerabilities require that the attacker be authenticated. Furthermore, triggering CVE-2024-39930 necessitates that the built-in SSH server is enabled, the version of the env binary used, and the threat actor is in possession of a valid SSH private key.
“If the Gogs instance has registration enabled, the attacker can simply create an account and register their SSH key,” the researchers said. “Otherwise, they would have to compromise another account or steal a user’s SSH private key.”
Gogs instances running on Windows are not exploitable, as is the Docker image. However, those running on Debian and Ubuntu are vulnerable due to the fact that the env binary supports the “–split-string” option.
According to data available on Shodan, around 7,300 Gogs instances are publicly accessible over the internet, with nearly 60% of them located in China, followed by the U.S., Germany, Russia, and Hong Kong.
It’s currently not clear how many of these exposed servers are vulnerable to the aforementioned flaws. SonarSource said it does not have any visibility into whether these issues are being exploited in the wild.
The Swiss cybersecurity firm also pointed out that the project maintainers “did not implement fixes and stopped communicating” after accepting its initial report on April 28, 2023.
In the absence of an update, users are recommended to disable the built-in SSH server, turn off user registration to prevent mass exploitation, and consider switching to Gitea. SonarSource has also released a patch that users can apply, but noted it hasn’t been extensively tested.
The disclosure comes as cloud security firm Aqua discovered that sensitive information such as access tokens and passwords once hard-coded could remain permanently exposed even after removal from Git-based source code management (SCM) systems.
Dubbed phantom secrets, the issue stems from the fact that they cannot be discovered by any of the conventional scanning methods – most of which look for secrets using the “git clone” command – and that certain secrets are accessible only via “git clone --mirror” or cached views of SCM platforms, highlighting the blind spots that such scanning tools may miss.
“Commits remain accessible through ‘cache views’ on the SCM,” security researchers Yakir Kadkoda and Ilay Goldman said. “Essentially, the SCM saves the commit content forever.”
“This means that even if a secret containing commit is removed from both the cloned and mirrored versions of your repository, it can still be accessed if someone knows the commit hash. They can retrieve the commit content through the SCM platform’s GUI and access the leaked secret.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
### Impact When the built-in SSH server is enabled (`[server] START_SSH_SERVER = true`), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. ### Patches The `env` command sent to the internal SSH server has been changed to be a passthrough (https://github.com/gogs/gogs/pull/7868), i.e. the feature is effectively removed. Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds [Disable the use of built-in SSH server](https://github.com/gogs/gogs/blob/7adac94f1e93cc5c3545ea31688662dcef9cd737/conf/app.ini#L76-L77) on operating systems other than Windows. ### References https://www.cve.org/CVERecord?id=CVE-2024-39930
### Impact Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance. ### Patches Unintended Git options has been ignored for diff preview (https://github.com/gogs/gogs/pull/7871). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. ### References https://www.cve.org/CVERecord?id=CVE-2024-39932
### Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. ### Patches Deletion of `.git` files has been prohibited (https://github.com/gogs/gogs/pull/7870). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. ### References https://www.cve.org/CVERecord?id=CVE-2024-39931
### Impact Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials (`[database] *`) and `[security] SECRET_KEY`. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled. ### Patches Unintended Git options has been ignored for creating tags (https://github.com/gogs/gogs/pull/7872). Users should upgrade to 0.13.1 or the latest 0.14.0+dev. ### Workarounds No viable workaround available, please only grant access to trusted users to your Gogs instance on affected versions. ### References https://www.cve.org/CVERecord?id=CVE-2024-39933
Gogs through 0.13.0 allows argument injection during the previewing of changes.
Gogs through 0.13.0 allows argument injection during the tagging of a new release. This vulnerability is still unfixed as of the time of this advisory being published.
Gogs through 0.13.0 allows deletion of internal files.