CVE-2024-1354 – A command injection vulnerability in GitHub Ent... (How to Fix)

Q: What is the severity of CVE-2024-1354?

CVE-2024-1354 has a CVSS score of 8.0 (HIGH). A command injection vulnerability in GitHub Enterprise Server allows authenticated users with editor role in the Management Console to execute arbitrary commands and gain admin SSH access via syslog-ng configuration manipulation. This affects all GitHub Enterprise Server instances prior to version 3.12. Attackers need both access to the instance and Management Console editor privileges.

📋 TL;DR

A command injection vulnerability in GitHub Enterprise Server allows authenticated users with editor role in the Management Console to execute arbitrary commands and gain admin SSH access via syslog-ng configuration manipulation. This affects all GitHub Enterprise Server instances prior to version 3.12. Attackers need both access to the instance and Management Console editor privileges.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions prior to 3.12

Operating Systems: GitHub Enterprise Server appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Management Console access with editor role; not exploitable by regular GitHub users.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the GitHub Enterprise Server appliance with admin SSH access, enabling data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Privileged escalation from editor to admin, allowing configuration changes, user management, and access to all repositories and settings.

🟢

If Mitigated

Limited to authorized editor users who might misuse their legitimate access, with proper monitoring detecting unusual configuration changes.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with editor role in Management Console; command injection via syslog-ng configuration file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.11.5, 3.10.7, 3.9.10, 3.8.15, or any version 3.12+

Vendor Advisory: https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7

Restart Required: Yes

Instructions:

1. Backup your instance. 2. Download the patched version from GitHub Enterprise downloads. 3. Follow upgrade instructions at https://docs.github.com/en/enterprise-server/admin/installation/upgrading-github-enterprise-server. 4. Restart the appliance.

🔧 Temporary Workarounds

Restrict Management Console Access

all

Limit Management Console editor roles to only essential administrators; review and reduce editor privileges.

Monitor syslog-ng Configuration Changes

linux

Implement file integrity monitoring on /etc/syslog-ng/syslog-ng.conf and related configuration files.

auditctl -w /etc/syslog-ng/syslog-ng.conf -p wa -k syslog_config

🧯 If You Can't Patch

Immediately restrict Management Console editor roles to minimal trusted personnel only.
Implement strict monitoring and alerting for any syslog-ng configuration file modifications or unusual SSH access patterns.

🔍 How to Verify

Check if Vulnerable:

Check current version via Management Console or SSH: cat /etc/github-enterprise-version

Check Version:

cat /etc/github-enterprise-version

Verify Fix Applied:

Verify version is 3.11.5, 3.10.7, 3.9.10, 3.8.15, or any 3.12+ release.

📡 Detection & Monitoring

Log Indicators:

Unauthorized modifications to /etc/syslog-ng/syslog-ng.conf
Unexpected SSH access from Management Console users
Commands containing injection patterns in syslog configuration

Network Indicators:

Unusual SSH connections from the GitHub appliance to internal/external systems

SIEM Query:

source="github-enterprise" AND (event="config_change" AND file="/etc/syslog-ng/syslog-ng.conf") OR (event="ssh_login" AND user="admin")

📊 Metadata

CVE ID: CVE-2024-1354

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: February 13, 2024

Last Updated: November 21, 2024

🔗 References

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5 Release Notes
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10 Release Notes
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5 Release Notes
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1354, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Management Console Access

Monitor syslog-ng Configuration Changes

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities