CVE-2024-1369
📋 TL;DR
A command injection vulnerability in GitHub Enterprise Server allows attackers with editor role access to the Management Console to gain admin SSH access to the appliance. This occurs when setting username and password for collectd configurations. All GitHub Enterprise Server instances prior to version 3.12 are affected.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the GitHub Enterprise Server appliance with admin SSH access, allowing complete control over the system, data exfiltration, and lateral movement.
Likely Case
Privileged attacker with editor role gains admin SSH access, potentially leading to data theft, system manipulation, or persistence mechanisms.
If Mitigated
Limited to authorized users with editor roles, but still represents significant privilege escalation within the Management Console.
🎯 Exploit Status
Exploitation requires authenticated access with editor role privileges in the Management Console. The vulnerability was discovered through GitHub's bug bounty program.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.11.5, 3.10.7, 3.9.10, or 3.8.15
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to one of the patched versions: 3.11.5, 3.10.7, 3.9.10, or 3.8.15. 3. Follow GitHub's upgrade documentation for your specific version. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Management Console Access
allLimit Management Console access to only trusted administrators and remove editor roles from unnecessary users.
Monitor collectd Configuration Changes
allImplement logging and monitoring for changes to collectd configurations in the Management Console.
🧯 If You Can't Patch
- Immediately restrict Management Console access to only essential administrators
- Implement network segmentation to isolate GitHub Enterprise Server from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the Management Console or SSH. If version is below 3.12, you are vulnerable.Check Version:
ssh admin@your-ghes-instance 'cat /data/user/common/enterprise-version'Verify Fix Applied:
After patching, verify version is 3.11.5, 3.10.7, 3.9.10, 3.8.15 or higher. Test that collectd configuration changes no longer accept command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual collectd configuration changes in Management Console logs
- Unexpected SSH access from Management Console users
- Suspicious commands executed via collectd interface
Network Indicators:
- Unexpected SSH connections from GitHub Enterprise Server appliance
- Anomalous network traffic from collectd service
SIEM Query:
source="github-enterprise" AND (event="collectd_config_change" OR event="ssh_access" AND user!="admin")🔗 References
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5
- https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5
- https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10
