A critical security vulnerability has been discovered in GitHub CLI that could allow attackers to execute malicious commands on a user’s system through remote code execution (RCE).
The flaw, identified as CVE-2024-32002, affects versions of GitHub CLI prior to 2.62.0 and poses a significant risk to developers who use the tool to interact with GitHub repositories and services.
The vulnerability stems from the way GitHub CLI handles SSH connection details when users connect to Codespace environments.
Specifically, the issue arises when using the `gh codespace ssh` or `gh codespace logs` commands to interact with a malicious Codespace SSH server.
The exploit takes advantage of the fact that GitHub CLI retrieves SSH connection details, including the remote username, which is then used to execute SSH commands.
An attacker could craft a malicious devcontainer with a modified SSH server that injects arbitrary SSH arguments into the connection details.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
When a user connects to a compromised Codespace, the attacker can manipulate the remote username to include malicious SSH arguments.
For example, a crafted username containing `-oProxyCommand=”echo hacked” #` could cause the SSH command to execute arbitrary code on the user’s workstation, reads the advisory.
The `-oProxyCommand` flag instructs SSH to execute the provided command, while the `#` character acts as a shell comment, effectively hiding any subsequent SSH arguments.
Successful exploitation of this vulnerability could lead to:
- Arbitrary code execution on the user’s system
- Potential compromise of sensitive data and credentials
- Installation of malware or backdoors
- Further lateral movement within the user’s network
To protect against this vulnerability, GitHub has released version 2.62.0 of the CLI tool, which includes a fix for the issue. Users are strongly advised to take the following actions:
- Upgrade GitHub CLI to version 2.62.0 or later immediately
- Exercise caution when using custom devcontainer images
- Prefer default or pre-built devcontainers from trusted sources
- Be wary of connecting to Codespaces from untrusted repositories
This vulnerability highlights the importance of security in developer tools and the potential risks associated with remote development environments.
As the use of cloud-based development environments continues to grow, it is crucial for both tool providers and users to prioritize security and implement robust validation mechanisms to prevent similar vulnerabilities in the future.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.