GitHub Nginx Security Full Disclosure

GitHub.com is a popular website for software developers sharing software projects, source code, programming libraries, and system utilities.

The GitHub website is currently down (2009-10-30 16:31 Z) and there is a coincidental security warning for the Nginx webserver, which GitHub uses.

It is possible that GitHub and Nginx are being attacked. It is possible that if the attack is successful, and if the attack can affect GitHub files, then there is a risk to the software developers and projects on GitHub.

What is GitHub?

GitHub is essentially a centralized way for software developers to share files, some of which may be downloaded by other software developers and included in their own projects.

For example, GitHub is among the largest service providers distributing Ruby gem programming libraries, which may software developers install on many websites.

Most GitHub projects have semi-automatic updating capabilities, for example updating source code via the git utility, or by a software developer running a Ruby gem upgrade.

What is Nginx?

Nginx is the home page webserver that GitHub uses. Nginx has a Full Disclosure security warning on Thu, 22 Oct 2009 19:35:53 +0300, regarding a null pointer dereference.

This kind of deference can possibly lead to a vulnerability, for example a weakness that an attacker can exploit to cause a denial of service attack, or more seriously, to execute the attacker's code on the Nginx webserver's system.

What is special about the combination of GitHub and Nginx?

If an attacker discovers a way to execute code on the Nginx server at GitHub, and discovers a way to affect files in GitHub proejcts, then this could be dangerous because the attacker could install rogue code in projects that have semi-automatic updating.

If a GitHub customer does an update that includes rogue code, then the rogue code could be downloaded to the customers system, or installed on the customers website.

GitHub may have security in place to prevent this kind of multi-step attack, i.e. to prevent an attack that compromises Nginxx and in turn compromises GitHub projects.

What does GitHub say about this?

GitHub has announced "We are experiencing some heavy load on the frontends caused by a vast number of processes waiting for responses from the backend."

We believe that this is consistent with the kinds of effects that a company could see during a denial of service attack.

I use GitHub. What should I do?

For now, we suggest wait-and-see before you install anything new from GitHub, and before you send anything confidential to GitHub. You can follow us on twitter here: http://twitter.com/sixarm

Links

SixArm on twitter
GitHub on twitter
GitHub on twitter
Nginx security Full Disclosure announcement



What's Next?

blog comments powered by Disqus