July 8, 2024 at 04:37AM
Four critical security flaws have been identified in the Gogs open-source Git service, allowing attackers to execute arbitrary commands, steal source code, and plant backdoors. The vulnerabilities, disclosed by SonarSource researchers, require authentication for exploitation. The project maintainers have not implemented fixes, and users are advised to take precautions while using the service.
Based on the meeting notes, we have identified several crucial takeaways. There are four unpatched security flaws in the Gogs open-source Git service. These vulnerabilities could allow an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoors. The vulnerabilities are as follows:
1. CVE-2024-39930 (CVSS score: 9.9) – Argument injection in the built-in SSH server
2. CVE-2024-39931 (CVSS score: 9.9) – Deletion of internal files
3. CVE-2024-39932 (CVSS score: 9.9) – Argument injection during changes preview
4. CVE-2024-39933 (CVSS score: 7.7) – Argument injection when tagging new releases
It’s crucial to note that successful exploitation of the first three vulnerabilities could permit an attacker to execute arbitrary commands on the Gogs server, while the fourth flaw allows attackers to read arbitrary files such as source code and configuration secrets. These issues could lead to unauthorized modification or deletion of code, access to internal hosts reachable from the Gogs server, and impersonation of other users to gain more privileges.
It’s essential to take preventive measures such as disabling the built-in SSH server, turning off user registration to prevent mass exploitation, and considering a switch to Gitea. In addition, SonarSource has released a patch, but it’s important to note that it hasn’t been extensively tested.
Another noteworthy point is the discovery of phantom secrets, where sensitive information such as access tokens and passwords could remain permanently exposed even after removal from Git-based source code management systems. This highlights blind spots in conventional scanning methods and raises concerns about commit content being accessible even after the removal of secrets.
The risks identified in the meeting notes necessitate immediate action to address the vulnerabilities in the Gogs open-source Git service and mitigate the exposure of sensitive information in source code management systems.