GitHub has rotated its keys after learning from its bug bounty program that a high-severity vulnerability could allow access to credentials within a production container.
In a Jan. 16 blog post, GitHub said it received a report on the flaw on Dec. 26, patched the vulnerability on GitHub.com the same day, and began rotating all potentially exposed credentials. GitHub credited Ngo Wei Lin (@Creastery) of STAR Labs (@starlabs_sg) for reporting the vulnerability.
The GitHub researchers said they assess with “high confidence” that this vulnerability — CVE-2024-0200 — has not been previously found or exploited. While they are confident that the impact was isolated to the bug bounty researcher who reported the incident, they rotate credentials any time they are exposed to a third party.
The vulnerability was also discovered on GitHub Enterprise Server (GHES). For security teams that verify GitHub.com commits outside of GitHub, including for verification in GHES, they will need to import GitHub’s new public key.
"Rotating keys" means updating or changing the cryptographic keys used for securing communications or access, explained Anurag Gurtu, chief product officer at StrikeReady. It’s a standard security practice to prevent unauthorized access, especially after a security incident, said Gurtu.
“If GitHub hadn't rotated their keys following the alert of a vulnerability, it could have potentially led to unauthorized access to multiple code repositories,” said Gurtu. “This unauthorized access could compromise the integrity and security of the code hosted on GitHub. Rotating keys in this context was a significant step in mitigating the risk and securing the repositories and user data against possible exploitation stemming from the vulnerability.”
Joseph Carson, chief security scientist and Advisory CISO at Delinea, explained that rotating keys are just like rotating passwords, but much more complex depending on the type of function the key is used for. Carson said while passwords tend to get used for authentication, keys — sometimes known as secrets — tend to be in the form of a cryptographic key used for different purposes such as encryption, digital signatures, key exchange, hash functions, authentication, tokens, access control, secure communications, and file transfer.
“Keys are often rotated on a periodic basis as the risks tend to increase during the lifetime of keys,” said Carson. “Therefore, rotating keys is a common occurrence for many IT administrators and applications owners. Using a secrets or key management solution can often simplify the key rotation process to ensure a higher level of security and consistency is in place.”
John Bambenek, president at Bambenek Consulting, said for automated processes and APIs where human authentication is not possible, security teams use keys — essentially long-passwords. If those are compromised, an attacker can do anything that key permits, said Bambenek.
“Since these are automated processes, MFA is not an option and often there’s no notification to a human such authentication happened,” said Bambenek. “If this wasn’t caught, presumably many repos could have had malicious commits entered. Considering the large number of shared libraries that exist on GitHub, we’d have ended up with a collection of digital dumpster fires as those malicious commits could end up in untold organizations all relying on those shared code libraries.”
