{"id":1104944,"date":"2024-01-17T08:02:25","date_gmt":"2024-01-17T10:02:25","guid":{"rendered":"https:\/\/teknomers.com\/fr\/github-fait-pivoter-les-cles-apres-quune-vulnerabilite-de-haute-gravite-ait-expose-les-informations-didentification\/"},"modified":"2024-01-17T08:02:29","modified_gmt":"2024-01-17T10:02:29","slug":"github-fait-pivoter-les-cles-apres-quune-vulnerabilite-de-haute-gravite-ait-expose-les-informations-didentification","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/github-fait-pivoter-les-cles-apres-quune-vulnerabilite-de-haute-gravite-ait-expose-les-informations-didentification\/","title":{"rendered":"GitHub fait pivoter les cl\u00e9s apr\u00e8s qu&#8217;une vuln\u00e9rabilit\u00e9 de haute gravit\u00e9 ait expos\u00e9 les informations d&#8217;identification"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">17 janvier 2024<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">Vuln\u00e9rabilit\u00e9 \/ S\u00e9curit\u00e9 logicielle<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/01\/GitHub-fait-pivoter-les-cles-apres-quune-vulnerabilite-de-haute.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>GitHub a r\u00e9v\u00e9l\u00e9 avoir effectu\u00e9 une rotation de certaines cl\u00e9s en r\u00e9ponse \u00e0 une vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9 qui pourrait \u00eatre potentiellement exploit\u00e9e pour acc\u00e9der aux informations d&#8217;identification dans un conteneur de production.<\/p>\n<p>La filiale appartenant \u00e0 Microsoft a d\u00e9clar\u00e9 avoir \u00e9t\u00e9 inform\u00e9e du probl\u00e8me le 26 d\u00e9cembre 2023 et avoir r\u00e9solu le probl\u00e8me le m\u00eame jour, en plus d&#8217;avoir altern\u00e9 toutes les informations d&#8217;identification potentiellement expos\u00e9es par prudence.<\/p>\n<p>Les cl\u00e9s altern\u00e9es incluent la cl\u00e9 de signature de validation GitHub ainsi que les cl\u00e9s de chiffrement client GitHub Actions, GitHub Codespaces et Dependabot, ce qui oblige les utilisateurs qui comptent sur ces cl\u00e9s \u00e0 importer les nouvelles.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/tl_d1\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/01\/Les-attaques-DDoS-contre-le-secteur-des-services-environnementaux-augmentent.gif\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Il n&#8217;existe aucune preuve que la vuln\u00e9rabilit\u00e9 de haute gravit\u00e9, consid\u00e9r\u00e9e comme <a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-0200\" target=\"_blank\">CVE-2024-0200<\/a> (score CVSS : 7,2), a d\u00e9j\u00e0 \u00e9t\u00e9 trouv\u00e9 et exploit\u00e9 dans la nature.<\/p>\n<p>&#8220;Cette vuln\u00e9rabilit\u00e9 est \u00e9galement pr\u00e9sente sur GitHub Enterprise Server (GHES)&#8221;, Jacob DePriest de GitHub <a rel=\"nofollow noopener\" href=\"https:\/\/github.blog\/2024-01-16-rotating-credentials-for-github-com-and-new-ghes-patches\/\" target=\"_blank\">dit<\/a>.  &#8220;Cependant, l&#8217;exploitation n\u00e9cessite un utilisateur authentifi\u00e9 avec un <a rel=\"nofollow noopener\" href=\"https:\/\/docs.github.com\/enterprise-server@3.11\/organizations\/managing-peoples-access-to-your-organization-with-roles\/roles-in-an-organization#organization-owners\" target=\"_blank\">r\u00f4le de propri\u00e9taire de l&#8217;organisation<\/a> \u00eatre connect\u00e9 \u00e0 un compte sur l&#8217;instance GHES, ce qui constitue un ensemble important de circonstances att\u00e9nuantes pour une exploitation potentielle.<\/p>\n<p>Dans un <a rel=\"nofollow noopener\" href=\"https:\/\/docs.github.com\/en\/enterprise-server@3.11\/admin\/release-notes\" target=\"_blank\">avis s\u00e9par\u00e9<\/a>, GitHub a caract\u00e9ris\u00e9 la vuln\u00e9rabilit\u00e9 comme un cas de \u00ab r\u00e9flexion dangereuse \u00bb GHES pouvant conduire \u00e0 une injection de r\u00e9flexion et \u00e0 l&#8217;ex\u00e9cution de code \u00e0 distance.  Il a \u00e9t\u00e9 corrig\u00e9 dans les versions GHES 3.8.13, 3.9.8, 3.10.5 et 3.11.3.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/3UvK59NV\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/01\/Nouveau-JinxLoader-ciblant-les-utilisateurs-avec-les-logiciels-malveillants-Formbook.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>GitHub traite \u00e9galement un autre bug de haute gravit\u00e9 suivi comme <a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-0507\" target=\"_blank\">CVE-2024-0507<\/a> (score CVSS : 6,5), ce qui pourrait permettre \u00e0 un attaquant ayant acc\u00e8s \u00e0 un compte utilisateur de la console de gestion avec le r\u00f4le d&#8217;\u00e9diteur d&#8217;\u00e9lever ses privil\u00e8ges via l&#8217;injection de commandes.<\/p>\n<p>Ce d\u00e9veloppement intervient pr\u00e8s d&#8217;un an apr\u00e8s que la soci\u00e9t\u00e9 a pris la d\u00e9cision de remplacer sa cl\u00e9 h\u00f4te RSA SSH utilis\u00e9e pour s\u00e9curiser les op\u00e9rations Git \u00ab par mesure de prudence \u00bb apr\u00e8s qu&#8217;elle ait \u00e9t\u00e9 bri\u00e8vement expos\u00e9e dans un r\u00e9f\u00e9rentiel public.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2024\/01\/github-rotates-keys-after-high-severity.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80217 janvier 2024\ue804R\u00e9dactionVuln\u00e9rabilit\u00e9 \/ S\u00e9curit\u00e9 logicielle GitHub a r\u00e9v\u00e9l\u00e9 avoir effectu\u00e9 une rotation de certaines cl\u00e9s en r\u00e9ponse \u00e0 une vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9 qui pourrait \u00eatre potentiellement exploit\u00e9e pour acc\u00e9der aux informations d&#8217;identification dans un conteneur de production. La filiale appartenant \u00e0 Microsoft a d\u00e9clar\u00e9 avoir \u00e9t\u00e9 inform\u00e9e du probl\u00e8me le 26 d\u00e9cembre 2023 et [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1104945,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[200292,677,271,6208,4168,4165,4161,200267,71695,16209,369,50438,11128,11685,492,4159,4171,65,200271,200268,200269,200270,22172,1294,128318,4172,4169,4166,3667,4164],"class_list":["post-1104944","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-sur-la-cybersecurite","tag-ait","tag-apres","tag-cles","tag-comment-pirater","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-didentification","tag-expose","tag-fait","tag-github","tag-gravite","tag-haute","tag-informations","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-les","tag-logiciel-malveillant-rancongiciel","tag-mises-a-jour-sur-la-cybersecurite","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-pivoter","tag-quune","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1104944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1104944"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1104944\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1104945"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1104944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1104944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1104944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}