GitHub High-Severity Vulnerability Exposed 10,000 Packages to RepoJacking
Checkmarx discovered that all renamed usernames on GitHub and the downstream apps were vulnerable to RepoJacking.
A GitHub vulnerability could have exposed thousands of code repositories and the projects/software/applications relying on them to exploitation. The vulnerability, termed RepoJacking (a portmanteau of the word repository and hijacking), threatened approximately 10,000 packages.
The Supply Chain Security team at Checkmarx discovered the GitHub vulnerability and assessed that it impacted all renamed usernames on the platform. The high-severity bug, now fixed by GitHub, arose due to a logical flaw in the popular repository namespace retirement tool, which dictates how traffic is redirected to and from a renamed repository.
“A GitHub feature that protects popular repository names of renamed user accounts from being re-created on the original, reclaimed username had a vulnerability,” Henrik Plate, CISSP and security researcher at Endor Labs, told Spiceworks.
This vulnerability allowed anyone to create a new repository with a previously used username, provided it is renamed. The GitHub repository URL contains the username and repository name, meaning if the URL of a repository with malicious code matches that of a pre-existing but renamed username, all traffic will be redirected to this repository instead of the renamed one.
“Repo hijacking, a term coined by Chechmarx, is a technique used by attackers to break automated redirects such that open-source consumers end up at attacker-controlled repositories (rather than following the redirect).”
Checkmarx discovered that all renamed usernames and the downstream apps were vulnerable to RepoJacking. The company also identified 10,000 packages in Packagist, Go, and Swift package managers that were using renamed usernames and thus at risk of being exploited.
See More: Clearing the Fog: Text4Shell is a Serious Vulnerability But Not Nearly as Bad As Log4Shell
Plate pointed out that renaming repositories (not just usernames) can also expose the software supply chain to exploitation. “The vulnerability is serious – renaming is a common phenomenon in the open-source ecosystem,” Plate added.
“This vulnerability allowed attackers to create malicious repositories and spread malware to consumers that bookmarked the old, original repository name and relied on GitHub’s automated redirect.”
This is the second serious vulnerability discovered on the Microsoft-owned GitHub’s popular repository namespace retirement tool in 2022, with the first (discovered in May 2022 that also leverages RepoJacking) granting attackers the ability to hijack and poison popular PHP packages with millions of downloads.
Malicious actors could have exploited this newly discovered flaw to execute malicious code in any application or software relying on automated redirects of renamed repositories. In essence, both vulnerabilities are cut from the same cloth.
“The root cause of the problem seems to be an architectural flaw in GitHub. Being independent of individual user settings, it’s no surprise that all renamed user accounts were affected,” Plate continued. “It’s common for attackers to take advantage of resource identifiers that have been abandoned by the original resource owners – be it GitHub repository names, email domains or URLs of package download sites (cf. CVE-2021-26291).”
“Expect comparable vulnerabilities and attacks to continue. Open-source consumers should be monitoring whether resources they consume have been renamed or moved. And rather than relying on automated redirects (and related protection mechanisms) to work properly, they should update those resource references to the new locations.”
To prevent malware from seeping into applications, developers can also inspect the code at the source before use.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON SECURITY VULNERABILITIES
- Microsoft Windows Vulnerable to BYOVD Attacks for Three Years: Report
- October Patch Tuesday: Two Zero-day and 15 Critical Vulnerabilities Patched by Microsoft
- Déjà vu: Microsoft Exchange Server Found With Two Zero-day Bugs Similar to ProxyShell
- 15-Year-Old Python Vulnerability Still Affects Over 350,000 Open-Source Projects
