Waiting for security patch: Self-hosted Git service Gogs is vulnerable
Attackers can attack Gogs servers with malicious code in the default settings. So far, admins can only protect systems via a workaround.
(Image: Sashkin/Shutterstock.com)
Due to a security vulnerability, attackers can attack and compromise instances of the self-hosted Git service Gogs. So far, no security update has been released. When it will come is currently unclear. Until the patch is released, admins must protect systems against attacks with the right settings.
The danger
Security researchers from Rapid7 discovered the vulnerability. In a report, they classify the vulnerability as “critical.” They do not provide a CVE number. However, attackers must already be authenticated for an attack. If this is the case, they can manipulate the rebase-before-merging operation and introduce malicious code onto systems. It can then be assumed that servers are considered completely compromised.
Because Gogs runs with the option DISABLE_REGISTRATION = false by default, attackers can create an account and thus carry out the attack, the security researchers explain. They explain in their report how such an attack could proceed. So far, however, there are no indications from the researchers that attackers are already exploiting the vulnerability. Nevertheless, they list indicators (Indicators of Compromise, IoC) in their report that admins can use to identify already attacked instances.
Videos by heise
Securing instances
They state that they contacted the Gogs developers in March of this year and received a response. However, according to them, there have been no further responses since then. Therefore, it is unclear when a security patch will be released.
Until then, admins should set these two parameters in the configuration file app.ini so that attackers cannot log in and create repositories: DISABLE_REGISTRATION = true and MAX_CREATION_LIMIT = 0.
(des)
