GHSA-p2h2-3vg9-4p87
Vulnerability from github
Summary
A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh
or gh codespace logs
commands.
Details
The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the default devcontainer image. GitHub CLI retrieves SSH connection details, such as remote username, which is used in executing ssh
commands for gh codespace ssh
or gh codespace logs
commands.
This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects ssh
arguments within the SSH connection details. gh codespace ssh
and gh codespace logs
commands could execute arbitrary code on the user's workstation if the remote username contains something like -oProxyCommand="echo hacked" #
. The -oProxyCommand
flag causes ssh
to execute the provided command while #
shell comment causes any other ssh
arguments to be ignored.
In 2.62.0
, the remote username information is being validated before being used.
Impact
Successful exploitation could lead to arbitrary code execution on the user's workstation, potentially compromising the user's data and system.
Remediation and Mitigation
- Upgrade
gh
to2.62.0
- Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 2.61.0" }, "package": { "ecosystem": "Go", "name": "github.com/cli/cli/v2" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.62.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/cli/cli" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.62.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-52308" ], "database_specific": { "cwe_ids": [ "CWE-77" ], "github_reviewed": true, "github_reviewed_at": "2024-11-14T17:39:01Z", "nvd_published_at": "2024-11-14T23:15:05Z", "severity": "HIGH" }, "details": "### Summary\n\nA security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the `gh codespace ssh` or `gh codespace logs` commands.\n\n### Details\n\nThe vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the [default devcontainer image](https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration). GitHub CLI [retrieves SSH connection details](https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244), such as remote username, which is used in [executing `ssh` commands](https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.\n\n### Impact\n\nSuccessful exploitation could lead to arbitrary code execution on the user\u0027s workstation, potentially compromising the user\u0027s data and system.\n\n### Remediation and Mitigation\n\n1. Upgrade `gh` to `2.62.0`\n2. Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.", "id": "GHSA-p2h2-3vg9-4p87", "modified": "2024-11-19T19:37:12Z", "published": "2024-11-14T17:39:01Z", "references": [ { "type": "WEB", "url": "https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52308" }, { "type": "PACKAGE", "url": "https://github.com/cli/cli" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2024-3269" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user\u0027s computer" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.