CVE-2024-10007
📋 TL;DR
This CVE describes a path collision vulnerability in GitHub Enterprise Server that allows container escape and arbitrary code execution with root privileges. It affects all versions prior to 3.15 and requires Enterprise Administrator access to exploit. The vulnerability enables attackers to break out of container isolation and gain full system control.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root access, allowing data theft, service disruption, and persistent backdoor installation across the entire GitHub Enterprise Server instance.
Likely Case
Privileged administrator with malicious intent or compromised admin credentials could execute arbitrary code, access sensitive data, and maintain persistence in the environment.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized administrators only, but still represents significant risk if admin credentials are compromised.
🎯 Exploit Status
Exploitation requires Enterprise Administrator privileges; path collision via ghe-firejail allows container escape
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.14.3, 3.13.6, 3.12.11, or 3.11.17
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.17
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to patched version (3.14.3, 3.13.6, 3.12.11, or 3.11.17). 3. Follow GitHub Enterprise Server upgrade procedures. 4. Verify successful upgrade and functionality.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit Enterprise Administrator accounts to only essential personnel and implement strict access controls
Enhanced Monitoring
linuxImplement enhanced logging and monitoring for administrator activities and container escape attempts
🧯 If You Can't Patch
- Implement strict least-privilege access controls for Enterprise Administrator accounts
- Deploy enhanced monitoring and alerting for suspicious administrator activities and container escape attempts
🔍 How to Verify
Check if Vulnerable:
Check GitHub Enterprise Server version via Management Console or SSH: cat /data/user/common/enterprise-versionCheck Version:
cat /data/user/common/enterprise-versionVerify Fix Applied:
Verify version is 3.14.3, 3.13.6, 3.12.11, 3.11.17 or later via Management Console or version file📡 Detection & Monitoring
Log Indicators:
- Unusual ghe-firejail process activity
- Container escape attempts
- Suspicious administrator command execution
Network Indicators:
- Unexpected outbound connections from GitHub Enterprise Server
- Unusual SSH or management interface activity
SIEM Query:
source="github-enterprise" AND (process="ghe-firejail" OR event="container_escape" OR user="admin" AND action="privileged")🔗 References
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.17
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.11
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.6
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.3
