Four unpatched security flaws, including three critical ones, were discovered in the Gog a proprietary open source Git service that can allow an authenticated attacker to compromise susceptible instances, steal or erase source code, and even install backdoors.
The vulnerabilities, according to SonarSource researchers Thomas Schachfuen and Paul Gerste, are listed below –
- CVE-2024-39930 (CVSS Score: 9.9) – Introduction of arguments to the built-in SSH server
- CVE-2024-39931 (CVSS Score: 9.9) – Delete internal files
- CVE-2024-39932 (CVSS Score: 9.9) – Argument input while previewing changes
- CVE-2024-39933 (CVSS score: 7.7) – Introduction of arguments when marking new releases
Successful exploitation of the first three flaws could allow an attacker to execute arbitrary commands on the Gogs server, while the fourth flaw allows attackers to read arbitrary files such as source code and configuration secrets.
In other words, by exploiting the issues, a threat actor can read source code on an instance, modify any code, delete all code, target internal hosts reachable from the Gogs server, and impersonate other users to gain more privileges.
However, all four vulnerabilities require an attacker to authenticate. Additionally, to trigger CVE-2024-39930, the embedded SSH server must be enabled, the version of the env binary used, and the threat actor must have a valid SSH private key.
“If a Gogs instance has logging enabled, an attacker can simply create an account and register their SSH key,” the researchers note. said. “Otherwise, they would have to compromise another account or steal the user’s SSH private key.”
Gogs instances running on Windows are not exploitable, and neither is the Docker image. However, those running on Debian and Ubuntu are vulnerable due to the env binary supporting the “–split-string” option.
According to data available on Shodan, about 7,300 copies of Gogs are publicly available online, with nearly 60% located in China, followed by the US, Germany, Russia and Hong Kong.
It is currently unclear how many of these exposed servers are vulnerable to the aforementioned flaws. SonarSource said it doesn’t know if these issues are being used in the wild.
The Swiss cybersecurity firm also noted that the project’s support specialists “failed to patch and stop communication” after accepting its initial report on April 28, 2023.
In the absence of an update, users are advised to disable the built-in SSH server, disable user registration to prevent mass exploitation, and consider switching to Gitea. SonarSource has it too released a patch that users can apply, but noted that it has not been thoroughly tested.
The disclosure comes after cloud security firm Aqua discovered that sensitive information such as access tokens and passwords, once hard-coded, can remain exposed forever, even after being deleted from Git-based source code control (SCM) systems.
The problem, called phantom secrets, arises because they cannot be detected by any of the usual scanning methods – most of which look for secrets using the “git clone” command – and that some secrets are only available via “git clone — mirror ” or cached views of SCM platforms, highlighting blind spots that such scanning tools can miss.
“Commits remain available through ‘cache views’ on SCM,” security researchers Yakir Kadkoda and Ilai Goldman said. “Essentially, SCM stores the commit content forever.”
“This means that even if the secret containing the commit is deleted from both the cloned and mirrored versions of your repository, it can still be accessed if someone knows the hash of the commit. They can retrieve the content of the commit through the GUI of the SCM platform and access the leaked secret.”
