WARNING: CRITICAL XML SIGNATURE WRAPPING VULNERABILITY IN GITHUB ENTERPRISE SERVER ALLOWS UNAUTHORIZED ACCESS TO THE INSTANCE WITHOUT AUTHENTICATION; PATCH IMMEDIATELY!
CVE-2024-6800: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://docs.github.com/en/[email protected]/admin/release-notes
Risks
The latest version of "GitHub Enterprise Server" (GHES), a developer platform developers use to create, store and share code, fixes CVE-2024-6800. This vulnerability could allow a remote attacker to send a crafted SAML request, which results in user access to the GitHub server with admin privileges. This attack does not require user interaction or privileges and can be executed remotely by a threat actor.
Successful exploitation of CVE-2024-6800 allows threat actors to perform all administrator's actions on this server, including reading and manipulating code, changing server settings, removing code repositories, and inserting malicious code into existing projects.
CVE-2024-6800 has a high impact on all 3 elements of the CIA-triad (Confidentiality, Integrity, Availability).
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Update your GitHub instance to one of the following versions to avoid exploitation of CVE-2024-6800:
- 3.13.3
- 3.12.8
- 3.11.14
- 3.10.16
Monitor/Detect
The CCB recommends that organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.tenable.com/cve/CVE-2024-6800
https://www.cve.org/cverecord?id=CVE-2024-6800