CVE-2023-23761 – An improper authentication vulnerability in Git... (How to Fix)

Q: What is the severity of CVE-2023-23761?

CVE-2023-23761 has a CVSS score of 7.7 (HIGH). An improper authentication vulnerability in GitHub Enterprise Server allows unauthorized users to modify other users' secret gists by authenticating through an SSH certificate authority. This affects all GitHub Enterprise Server versions prior to 3.9, requiring attackers to know the secret gist's URL to exploit it.

📋 TL;DR

An improper authentication vulnerability in GitHub Enterprise Server allows unauthorized users to modify other users' secret gists by authenticating through an SSH certificate authority. This affects all GitHub Enterprise Server versions prior to 3.9, requiring attackers to know the secret gist's URL to exploit it.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions prior to 3.9

Operating Systems: All supported OS for GitHub Enterprise Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with SSH certificate authority authentication enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized modification or deletion of sensitive data in secret gists, potentially exposing confidential information or disrupting workflows.

🟠

Likely Case

Targeted modification of specific secret gists by users with knowledge of their URLs, leading to data integrity issues.

🟢

If Mitigated

Limited impact if secret gist URLs are not widely shared and proper access controls are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of secret gist URLs and SSH certificate authority access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.18, 3.5.15, 3.6.11, 3.7.8, 3.8.1, or 3.9+

Vendor Advisory: https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.18

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Upgrade to a patched version (3.4.18, 3.5.15, 3.6.11, 3.7.8, 3.8.1, or 3.9+). 3. Follow GitHub's upgrade documentation for your version. 4. Restart the server after upgrade.

🔧 Temporary Workarounds

Disable SSH certificate authority authentication

all

Temporarily disable SSH certificate authority authentication to prevent exploitation.

# Modify GitHub Enterprise Server configuration to disable SSH CA auth
# Refer to GitHub documentation for specific configuration steps

Restrict secret gist sharing

all

Limit sharing of secret gist URLs and monitor for unauthorized access attempts.

🧯 If You Can't Patch

Disable SSH certificate authority authentication if not required.
Implement strict access controls and monitoring for secret gist modifications.

🔍 How to Verify

Check if Vulnerable:

Check your GitHub Enterprise Server version via the management console or SSH into the instance and run 'ghe-version'.

Check Version:

ssh admin@your-ghe-instance 'ghe-version'

Verify Fix Applied:

Verify the version is 3.4.18, 3.5.15, 3.6.11, 3.7.8, 3.8.1, or 3.9+ using 'ghe-version' command.

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to secret gists, especially from unauthorized users or SSH CA authenticated sessions.

Network Indicators:

Unexpected SSH certificate authority authentication attempts to gist endpoints.

SIEM Query:

source="github-enterprise" action="gist_modify" user="*" auth_method="ssh_ca"

📊 Metadata

CVE ID: CVE-2023-23761

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-287

Published: April 7, 2023

Last Updated: November 21, 2024

🔗 References

https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.18 Release Notes
https://docs.github.com/en/enterprise-server@3.5/admin/release-notes#3.5.15 Release Notes
https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.11 Release Notes
https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.8 Release Notes
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.1 Release Notes
https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.18 Release Notes
https://docs.github.com/en/enterprise-server@3.5/admin/release-notes#3.5.15 Release Notes
https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.11 Release Notes
https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.8 Release Notes
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.1 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23761, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SSH certificate authority authentication

Restrict secret gist sharing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities