CVE-2024-10001
📋 TL;DR
A code injection vulnerability in GitHub Enterprise Server allows attackers to inject malicious code via the identity property in message handling, enabling DOM manipulation and sensitive data exfiltration including authentication tokens. This affects logged-in GitHub users who interact with attacker-controlled malicious webpages containing hidden iframes. All GitHub Enterprise Server versions prior to 3.11.16, 3.12.10, 3.13.5, 3.14.2, and 3.15.0 are vulnerable.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, exfiltration of all accessible sensitive data including source code, credentials, and authentication tokens, leading to further lateral movement within the organization.
Likely Case
Exfiltration of authentication tokens and session hijacking, allowing unauthorized access to repositories, sensitive data, and potentially modifying code or configurations.
If Mitigated
Limited impact with proper web security controls like Content Security Policy (CSP), same-origin policies, and user awareness training preventing interaction with malicious sites.
🎯 Exploit Status
Exploitation requires social engineering to trick users into visiting malicious sites and requires the victim to be logged into GitHub Enterprise Server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.11.16, 3.12.10, 3.13.5, 3.14.2, or 3.15.0
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.17
Restart Required: No
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to the patched version (3.11.16, 3.12.10, 3.13.5, 3.14.2, or 3.15.0). 3. Verify the upgrade completed successfully. 4. Test critical functionality.
🔧 Temporary Workarounds
Implement Strict Content Security Policy
allDeploy a strict CSP to prevent inline script execution and restrict script sources to trusted domains only.
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
User Awareness Training
allEducate users about the risks of clicking unknown links and interacting with suspicious webpages while logged into enterprise systems.
🧯 If You Can't Patch
- Implement network segmentation to restrict GitHub Enterprise Server access to trusted networks only.
- Deploy web application firewalls (WAF) with rules to detect and block code injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the management console or SSH into the instance and run 'ghe-version'.Check Version:
ssh admin@your-ghe-instance 'ghe-version'Verify Fix Applied:
Verify the version is 3.11.16, 3.12.10, 3.13.5, 3.14.2, or 3.15.0 or higher using 'ghe-version' command.📡 Detection & Monitoring
Log Indicators:
- Unusual iframe loading events in browser logs
- Unexpected POST requests with identity parameters
- Authentication token usage from unusual IP addresses
Network Indicators:
- Traffic to known malicious domains from GitHub Enterprise Server users
- Unexpected outbound data exfiltration patterns
SIEM Query:
source="github_enterprise" AND (event="iframe_load" OR event="token_usage") AND src_ip NOT IN [trusted_ips]🔗 References
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.17
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.11
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.6
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.3
- https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.0
