CVE-2022-23740: Critical Improper Neutralization of Argument Delimiters in GitHub Enterprise Server Enables Remote Code Execution

Abstract: A critical vulnerability (CVE-2022-23740) has been identified in GitHub Enterprise Server (GHES) version 3.7.. The flaw is due to improper neutralization of argument delimiters within a command, allowing remote code execution by an attacker with permission to create and build GitHub Pages using GitHub Actions. GitHub has released version 3.7.1 to address this vulnerability, which was reported through the GitHub Bug Bounty program.

Body

A recent vulnerability, identified as CVE-2022-23740, was discovered in GitHub Enterprise Server (GHES) version 3.7., which could enable an attacker to carry out remote code execution. The vulnerability stems from an improper neutralization of argument delimiters within a command. Before we delve into the details of this issue and how to address it, let's quickly outline what each component is.

- GitHub Enterprise Server: A self-hosted version of GitHub that allows organizations to host their repositories and developer tools on their own infrastructure. More details can be found here.

- GitHub Pages: A feature that enables GitHub users to create and host websites directly from their repositories. Learn more about GitHub Pages here.

- GitHub Actions: A feature that allows users to automate, customize, and execute software development workflows directly from their repositories. Find more information about GitHub Actions here.

In version 3.7. of GHES, the vulnerability exists due to improper neutralization of argument delimiters (such as whitespaces, quotes, or special characters) in a command. An attacker with permission to create and build GitHub Pages using GitHub Actions could exploit this vulnerability to execute arbitrary code remotely on a target system.

Suppose a vulnerable command is constructed like this

sh -c "command --input_file=$user_input.txt"

An attacker could inject malicious code by crafting a file name with argument delimiters, instead of being limited to providing a simple file name. For instance, an attacker could provide a file name like this:

evil_input.txt; rm -rf /

In the above example, the attacker takes advantage of the improper neutralization of argument delimiters to execute an additional command (rm -rf /), potentially leading to catastrophic consequences.

To protect GHES 3.7. users, GitHub has released version 3.7.1, which fixes the vulnerability. It is highly recommended that organizations using GHES 3.7. upgrade their instances immediately to avoid any potential exploitation.

This vulnerability was responsibly disclosed through the GitHub Bug Bounty program, a program that encourages security researchers to report vulnerabilities in GitHub products to keep users safe while being rewarded for their efforts.

In conclusion, it is essential to stay up-to-date with security patches and adhere to best practices when implementing and utilizing services like GitHub Enterprise Server. Regularly reviewing the security of your systems and partaking in bug bounty programs can help proactively address vulnerabilities and keep your organization's assets secure.

Timeline

Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/30/2022 18:11:00 UTC