The cybersecurity researchers at SonarSource recently uncovered several vulnerabilities in the popular open-source code hosting system, Gogs. These vulnerabilities could potentially lead to source code theft, backdoor implantation, and code removal, putting Gogs instances at risk.
Despite Gogs’ widespread use and popularity, with over 44,000 GitHub stars and 90 million Docker image downloads, these vulnerabilities remain unpatched. This discovery underscores the importance of securing development tools and self-hosted code repositories to prevent cyber attacks.
One of the critical vulnerabilities found in Gogs is an Argument Injection Vulnerability in the built-in SSH server. This flaw allows authenticated attackers to execute commands on the server by exploiting the ‘–split-string’ option in the ‘env’ command, bypassing security measures. Even in the latest Gogs release (0.13.0), this vulnerability remains unaddressed.
According to the SonarSource report, approximately 7,300 open Gogs instances on Shodan are susceptible to this security issue. This poses a significant risk to the source code integrity and server protection of organizations relying on Gogs for code hosting.
To exploit the Gogs SSH server vulnerability, three conditions must be met: the SSH server must be enabled, an authentic SSH key is required, and a version compatible with “env -–split-string” must be used. Exploitable setups typically utilize GNU core-utils in Ubuntu or Debian, while Alpine Linux-based Docker images and Windows installations are not affected.
Attackers can create accounts and add SSH keys if registration is enabled, making it essential for admins to check their SSH settings in the admin panel. Maintainers of Gogs had initially accepted vulnerability reports but ceased communication and left all four reported issues unpatched in the latest version. As a result, users are advised to implement their own mitigations to safeguard their installations.
Security analysts have provided several recommendations and mitigations to address these vulnerabilities, including disabling the built-in SSH server, disabling user registration, and considering a switch to Gitea. It is crucial for users to take proactive steps to protect their systems and prevent potential security breaches.
In conclusion, the discovery of vulnerabilities in Gogs highlights the ongoing challenge of securing development tools and self-hosted code repositories. As cyber threats continue to evolve, it is essential for organizations to prioritize cybersecurity measures and address vulnerabilities promptly to safeguard their sensitive information and infrastructure.