www.belgium.be Logo of the federal government

WARNING: CRITICAL XML SIGNATURE WRAPPING VULNERABILITY IN GITHUB ENTERPRISE SERVER ALLOWS UNAUTHORIZED ACCESS TO THE INSTANCE WITHOUT AUTHENTICATION; PATCH IMMEDIATELY!

Reference: 
Advisory #2024-209
Version: 
1.0
Affected software: 
GitHub Enterprise Server (before 3.14)
Type: 
CWE-347 - XML Signature Wrapping Vulnerability
CVE/CVSS: 

CVE-2024-6800: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://docs.github.com/en/[email protected]/admin/release-notes

Risks

The latest version of "GitHub Enterprise Server" (GHES), a developer platform developers use to create, store and share code, fixes CVE-2024-6800. This vulnerability could allow a remote attacker to send a crafted SAML request, which results in user access to the GitHub server with admin privileges. This attack does not require user interaction or privileges and can be executed remotely by a threat actor.

Successful exploitation of CVE-2024-6800 allows threat actors to perform all administrator's actions on this server, including reading and manipulating code, changing server settings, removing code repositories, and inserting malicious code into existing projects.

CVE-2024-6800 has a high impact on all 3 elements of the CIA-triad (Confidentiality, Integrity, Availability).

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Update your GitHub instance to one of the following versions to avoid exploitation of CVE-2024-6800:

  • 3.13.3
  • 3.12.8
  • 3.11.14
  • 3.10.16

Monitor/Detect

The CCB recommends that organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.tenable.com/cve/CVE-2024-6800
https://www.cve.org/cverecord?id=CVE-2024-6800