Four vulnerabilities were found in Gogs Git Service, impacting multiple versions up to 0.13.0. The vulnerabilities can impact the confidentiality and availability of data, however, code execution is possible. Continue reading this Cybersecurity Threat Advisory to protect your accounts and systems.
What is the threat?
There are four unpatched security flaws, including three critical ones, that have been disclosed in the Gogs open-source, self-hosted Git service. If exploited, they can enable an authenticated attacker to breach susceptible instances, steal or wipe source code, and even plant backdoor attacks. The four vulnerabilities include:
- CVE-2024-39930: This vulnerability is an argument injection flaw on the built-in SSH server. This requires the built-in SSH server to be enabled, and the server is not enabled by default. This means you can mitigate this vulnerability by disabling it.
- CVE-2024-39931: This vulnerability is a directory traversal that allows attackers to delete arbitrary files with the API used by the delete button. However, attackers can use this vulnerability to eventually gain remote code execution by abusing the default behavior of Git, broken repos, and the ability to modify the commands Git runs.
- CVE-2024-39932: This is another argument injection flaw in the change preview API. The attacker can then break Git repos and leverage the same attack discussed in CVE-2024-39931.
- CVE-2024-39933: This attack is another argument injection in the API for the tags API on new releases.
Why is it noteworthy?
These vulnerabilities are noteworthy because of their ability to allow attackers to delete files and perform argument injections. Mission-critical or confidential data can be compromised, stolen, or deleted. Furthermore, the researchers who discovered these vulnerabilities have released a highly detailed write-up on how these vulnerabilities work.
What is the exposure or risk?
These vulnerabilities impact self-hosted Git servers, and all the attacks are networked and authenticated. Due to this, it is important to consider how accessible the server is. If it is accessible to the internet, and/or registration is enabled, then the risk is increased significantly. Because the attacker can inject arbitrary commands, the server can be used as a foothold to attack other systems.
What are the recommendations?
Barracuda MSP recommends the following actions to ensure your Gogs server does not become compromised:
- Install the patch released by Sonar (the security researchers who found the vulnerabilities): https://gist.githubusercontent.com/paul-gerste-sonarsource/207f5dc79f59bb256a0bfccda4e3e92b/raw/Gogs-security-fixes-by-Sonar.patch
- Consider changing to another self-hosted Git solution, such as Gitlab or Gitea, the latter being a fork of Gogs.
- Place your internet-accessible service behind a DMZ. This limits the access a compromised device would have to internal resources, limiting the attack surface significantly.
- Use a VPN when accessing it remotely.
- Monitor for exploitation and new users.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/
- https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-2/
- https://thehackernews.com/2024/07/critical-vulnerabilities-disclosed-in.html
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.