CVE-2024-52308 - Remote Code Execution Vulnerability in GitHub CLI 2.6.1 and Earlier

A critical remote code execution vulnerability (CVE-2024-52308) has been discovered in GitHub CLI version 2.6.1 and earlier, affecting commands like gh codespace ssh or gh codespace logs. Fortunately, this vulnerability has been patched in CLI version 2.62.. The exploit occurs when you connect to a malicious codespace SSH server through a carefully crafted devcontainer containing hostile SSH code.

Details

When developers connect to remote codespaces, they typically rely on an SSH server that runs within GitHub's default devcontainer. You can learn more about it in the Introduction to Dev Containers documentation.

The [GitHub CLI retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042dc5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ) such as remote username, which is used for [executing ssh commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ). These steps are essential when running gh codespace ssh or gh codespace logs.

The exploit is triggered by connecting to a codespace with a rogue SSH server. This can happen when you use a devcontainer shared by an untrusted source. The vulnerability lies in malicious ssh arguments injected within the SSH connection details. An attacker could insert a code like -oProxyCommand="echo hacked" # into the remote username, causing the user's workstation to execute arbitrary commands.

The malicious server injects a harmful command within the remote username information.

3. The unsuspecting user runs gh codespace ssh or gh codespace logs, causing ssh to execute the attacker's arbitrary code on the user's workstation.

The -oProxyCommand flag, in this case, instructs ssh to perform the attacker's code, and the # shell comment ensures that any other ssh arguments are ignored, making the exploit even more effective.

Resolution

To fix this vulnerability, simply upgrade your GitHub CLI to version 2.62. or later, where the remote username information is thoroughly validated before being used. This will help protect your system from unwanted remote code execution during gh codespace ssh or gh codespace logs commands.

You should also be cautious when connecting to codespaces provided by unknown parties, as they could contain malicious code. To limit possible risks, always verify the devcontainer configurations and their origins, and avoid using untrusted sources for your development environments.

Stay safe, and keep your GitHub CLI up-to-date to ensure a secure codespace experience!

Timeline

Published on: 11/14/2024 23:15:05 UTC
Last modified on: 11/20/2024 15:07:43 UTC