Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service

Cyber Security

Jul 08, 2024NewsroomVulnerability / Software Security

Four unpatched security flaws, including three critical ones, have been disclosed in the Gogs open-source, self-hosted Git service that could enable an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoors.

The vulnerabilities, according to SonarSource researchers Thomas Chauchefoin and Paul Gerste, are listed below –

  • CVE-2024-39930 (CVSS score: 9.9) – Argument injection in the built-in SSH server
  • CVE-2024-39931 (CVSS score: 9.9) – Deletion of internal files
  • CVE-2024-39932 (CVSS score: 9.9) – Argument injection during changes preview
  • CVE-2024-39933 (CVSS score: 7.7) – Argument injection when tagging new releases

Successful exploitation of the first three shortcomings could permit an attacker to execute arbitrary commands on the Gogs server, while the fourth flaw allows attackers to read arbitrary files such as source code, and configuration secrets.

In other words, by abusing the issues, a threat actor could read source code on the instance, modify any code, delete all code, target internal hosts reachable from the Gogs server, and impersonate other users and gain more privileges.

That said, all four vulnerabilities require that the attacker be authenticated. Furthermore, triggering CVE-2024-39930 necessitates that the built-in SSH server is enabled, the version of the env binary used, and the threat actor is in possession of a valid SSH private key.

“If the Gogs instance has registration enabled, the attacker can simply create an account and register their SSH key,” the researchers said. “Otherwise, they would have to compromise another account or steal a user’s SSH private key.”

Gogs instances running on Windows are not exploitable, as is the Docker image. However, those running on Debian and Ubuntu are vulnerable due to the fact that the env binary supports the “–split-string” option.

According to data available on Shodan, around 7,300 Gogs instances are publicly accessible over the internet, with nearly 60% of them located in China, followed by the U.S., Germany, Russia, and Hong Kong.

It’s currently not clear how many of these exposed servers are vulnerable to the aforementioned flaws. SonarSource said it does not have any visibility into whether these issues are being exploited in the wild.

The Swiss cybersecurity firm also pointed out that the project maintainers “did not implement fixes and stopped communicating” after accepting its initial report on April 28, 2023.

In the absence of an update, users are recommended to disable the built-in SSH server, turn off user registration to prevent mass exploitation, and consider switching to Gitea. SonarSource has also released a patch that users can apply, but noted it hasn’t been extensively tested.

The disclosure comes as cloud security firm Aqua discovered that sensitive information such as access tokens and passwords once hard-coded could remain permanently exposed even after removal from Git-based source code management (SCM) systems.

Dubbed phantom secrets, the issue stems from the fact that they cannot be discovered by any of the conventional scanning methods – most of which look for secrets using the “git clone” command – and that certain secrets are accessible only via “git clone –mirror” or cached views of SCM platforms, highlighting the blind spots that such scanning tools may miss.

“Commits remain accessible through ‘cache views’ on the SCM,” security researchers Yakir Kadkoda and Ilay Goldman said. “Essentially, the SCM saves the commit content forever.”

“This means that even if a secret containing commit is removed from both the cloned and mirrored versions of your repository, it can still be accessed if someone knows the commit hash. They can retrieve the commit content through the SCM platform’s GUI and access the leaked secret.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.