CVE-2024-6800
📋 TL;DR
An XML signature wrapping vulnerability in GitHub Enterprise Server's SAML authentication allows attackers with network access to forge SAML responses and gain administrator access without authentication. This affects all GHES versions prior to 3.14 when using SAML with specific identity providers. Attackers can provision new admin accounts or hijack existing ones.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of GitHub Enterprise Server instance with attacker gaining site administrator privileges, enabling data theft, code manipulation, user account takeover, and complete system control.
Likely Case
Unauthorized administrative access leading to data exfiltration, privilege escalation for other users, and potential lateral movement within the organization's development infrastructure.
If Mitigated
No impact if patched or if SAML authentication is not used with vulnerable identity providers.
🎯 Exploit Status
Requires direct network access to GHES and knowledge of SAML/XML signature wrapping techniques. No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.13.3, 3.12.8, 3.11.14, or 3.10.16
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3
Restart Required: Yes
Instructions:
1. Backup your GHES instance. 2. Upgrade to patched version (3.13.3, 3.12.8, 3.11.14, or 3.10.16). 3. Restart the instance. 4. Verify SAML authentication works correctly.
🔧 Temporary Workarounds
Disable SAML Authentication
allTemporarily disable SAML authentication until patching can be completed
# Configure alternative authentication method in GHES admin settings
Restrict Network Access
allLimit network access to GHES SAML endpoints to trusted identity providers only
# Configure firewall rules to restrict access to SAML endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to GHES SAML endpoints
- Monitor SAML authentication logs for suspicious activity and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check GHES version via admin dashboard or SSH: cat /data/user/common/version-info.json | grep versionCheck Version:
cat /data/user/common/version-info.json | grep versionVerify Fix Applied:
Verify version is 3.13.3, 3.12.8, 3.11.14, 3.10.16 or later, and test SAML authentication functionality📡 Detection & Monitoring
Log Indicators:
- Unexpected SAML authentication attempts
- Administrator account creation/modification events
- Failed then successful SAML logins from same source
Network Indicators:
- Unusual XML payloads to SAML endpoints
- SAML responses with modified signatures
- Traffic from unexpected sources to authentication endpoints
SIEM Query:
source="github-enterprise" AND (event_type="saml_auth" OR event_type="user_create" OR event_type="user_modify") | stats count by src_ip, user🔗 References
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.16
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3
