CVE-2024-1355
📋 TL;DR
A command injection vulnerability in GitHub Enterprise Server allows attackers with editor role access to the Management Console to execute arbitrary commands and gain admin SSH access via the actions-console docker container. This affects all GitHub Enterprise Server instances prior to version 3.12. Attackers need both access to the instance and editor privileges in the Management Console.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the GitHub Enterprise Server appliance with admin SSH access, allowing data exfiltration, code manipulation, and persistent backdoor installation.
Likely Case
Unauthorized admin access leading to repository manipulation, credential theft, and potential lateral movement within the enterprise network.
If Mitigated
Limited impact if proper role-based access controls restrict Management Console access and network segmentation isolates the appliance.
🎯 Exploit Status
Exploitation requires authenticated access with editor role in Management Console and knowledge of the vulnerable service URL parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.11.5, 3.10.7, 3.9.10, or 3.8.15
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Download the appropriate patch version from GitHub Enterprise releases. 3. Follow the upgrade instructions for your version. 4. Restart the appliance after upgrade completion.
🔧 Temporary Workarounds
Restrict Management Console Access
allLimit Management Console access to only essential administrators and remove editor roles from unnecessary users.
Network Segmentation
allIsolate GitHub Enterprise Server appliance from critical network segments to limit lateral movement if compromised.
🧯 If You Can't Patch
- Immediately audit and remove editor role from all non-essential Management Console users
- Implement strict network access controls to limit Management Console exposure and monitor for suspicious SSH activity
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the Management Console or SSH: if version is below 3.12 and not one of the patched versions (3.11.5, 3.10.7, 3.9.10, 3.8.15), you are vulnerable.Check Version:
ssh admin@your-ghes-instance 'ghes-version' or check in Management Console under Support > VersionVerify Fix Applied:
After patching, verify version shows as 3.11.5, 3.10.7, 3.9.10, 3.8.15 or higher in Management Console or via SSH.📡 Detection & Monitoring
Log Indicators:
- Unusual SSH login attempts to admin account
- Suspicious commands in actions-console container logs
- Unexpected Management Console configuration changes
Network Indicators:
- Unexpected outbound connections from GitHub appliance
- SSH traffic from unusual sources to admin port
SIEM Query:
source="github-enterprise" AND (event="ssh_login" AND user="admin" AND result="success") OR (event="management_console_change" AND user_role="editor")🔗 References
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5
- https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5
- https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10
