Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-p2h2-3vg9-4p87] Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer #5027

Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-p2h2-3vg9-4p87",
"modified": "2024-11-19T19:37:12Z",
"modified": "2024-11-19T19:37:13Z",
"published": "2024-11-14T17:39:01Z",
"aliases": [
"CVE-2024-52308"
],
"summary": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer",
"details": "### Summary\n\nA security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the `gh codespace ssh` or `gh codespace logs` commands.\n\n### Details\n\nThe vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the [default devcontainer image](https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration). GitHub CLI [retrieves SSH connection details](https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244), such as remote username, which is used in [executing `ssh` commands](https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.\n\n### Impact\n\nSuccessful exploitation could lead to arbitrary code execution on the user's workstation, potentially compromising the user's data and system.\n\n### Remediation and Mitigation\n\n1. Upgrade `gh` to `2.62.0`\n2. Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.",
"details": "### Note: The Edit suggestion has to do with the CPE assigned to this CVE. Here's the improvement suggestion I am making at the bottom:\n> Hi there! The CPE for this vulnerability is `cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*`, but the application is called `gh`. CVE/software-matching tools (e.g. FleetDM) will find the `gh` app but won't assign this CVE.\n> As a CNA, you could you update the CPE to include `cpe:2.3:a:github:gh:*:*:*:*:*:*:*:*`.\nCheers!\n\n### Summary\n\nA security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the `gh codespace ssh` or `gh codespace logs` commands.\n\n### Details\n\nThe vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the [default devcontainer image](https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration). GitHub CLI [retrieves SSH connection details](https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244), such as remote username, which is used in [executing `ssh` commands](https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.\n\n### Impact\n\nSuccessful exploitation could lead to arbitrary code execution on the user's workstation, potentially compromising the user's data and system.\n\n### Remediation and Mitigation\n\n1. Upgrade `gh` to `2.62.0`\n2. Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.",
"severity": [
{
"type": "CVSS_V3",
Expand Down