You probably want to patch this critical GitHub Enterprise Server bug now
(2024/08/22)
- Reference: 1724282107
- News link: https://www.theregister.co.uk/2024/08/21/patch_github_enterprise_bug/
- Source link:
A critical bug in GitHub Enterprise Server could allow an attacker to gain unauthorized access to a user account with administrator privileges and then wreak havoc on an organization's code repositories.
The good news is that there's a fix. The Microsoft-owned code hosting service addressed the 9.5 CVSS-rated flaw tracked as [1]CVE-2024-6800 in GitHub Enterprise Server (GHES) versions [2]3.13.3 , [3]3.10.16 , [4]3.11.14 , and [5]3.12.8 .
Orgs running a vulnerable instance of GitHub Enterprise Server (GHES), GitHub's self-hosted version, will likely do well to download the update ASAP as miscreants are likely already scanning for this CVE.
[6]
Affected versions of GHES include 3.13.0 to 3.13.2, 3.10.0 to 3.10.15, 3.11.0 to 3.11.13 and 3.12.0 to 3.12.7.
[7]
[8]
As GitHub explained in the release notes we’ve linked to above, the critical flaw affected GHES instances that use Security Assertion Markup Language (SAML) for single sign-on authentication. The SAML authentication allows specific identity providers (IdPs) that use publicly exposed and signed federation metadata XML. This could allow an attacker to forge a SAML response to gain administrator privileges on a compromised machine, thus giving an unauthorized party access to your organization's GitHub-hosted repos.
This vulnerability, along with two others addressed in version 3.13.3, were reported via the [9]GitHub Bug Bounty program .
[10]
The other two now-fixed flaws are both rated medium-severity.
[11]CVE-2024-7711 could allow an attacker to update the title, assignees and labels of any issue inside a public repository — public being the key word here. Private and internal repositories are not affected by this bug, which earned a 5.3 CVSS rating.
[12]CVE-2024-6337 is a 5.9-rated vulnerability that could allow an attacker to disclose the issue contents from a private repository using a GitHub App with only 'content: read' and 'pull_request_write: write' permissions.
[13]
This one can only be exploited with a user-access token, we're told. Installation access tokens are not affected.
[14]GitHub rolls back database change after breaking itself
[15]Who needs GitHub Copilot when you can roll your own AI code assistant at home
[16]110K domains targeted in 'sophisticated' AWS cloud extortion campaign
[17]Multiple flaws in Microsoft macOS apps unpatched despite potential risks
It's been a rocky couple of weeks for the collaborative coding colossus.
This security update comes about a week after GitHub [18]broke itself after rolling out an "erroneous" configuration change to all GitHub.com databases. This caused a global outage to several of its services, along with GitHub.com and the GitHub API.
Also last week, Palo Alto’s Unit 42 threat intelligence team found that a [19]bad combination of misconfigurations and security flaws can make GitHub Actions artifacts leak both GitHub and third-party cloud services tokens. ®
Get our [20]Tech Resources
[1] https://www.cve.org/cverecord?id=CVE-2024-6800
[2] https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3
[3] https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.16
[4] https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14
[5] https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://bounty.github.com/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.cve.org/cverecord?id=CVE-2024-7711
[12] https://www.cve.org/cverecord?id=CVE-2024-6337
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2024/08/14/github_rollback/
[15] https://www.theregister.com/2024/08/18/self_hosted_github_copilot/
[16] https://www.theregister.com/2024/08/21/aws_extortion_campaign/
[17] https://www.theregister.com/2024/08/19/cisco_talos_microsoft_macos/
[18] https://www.theregister.com/2024/08/14/github_rollback/
[19] https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
[20] https://whitepapers.theregister.com/
The good news is that there's a fix. The Microsoft-owned code hosting service addressed the 9.5 CVSS-rated flaw tracked as [1]CVE-2024-6800 in GitHub Enterprise Server (GHES) versions [2]3.13.3 , [3]3.10.16 , [4]3.11.14 , and [5]3.12.8 .
Orgs running a vulnerable instance of GitHub Enterprise Server (GHES), GitHub's self-hosted version, will likely do well to download the update ASAP as miscreants are likely already scanning for this CVE.
[6]
Affected versions of GHES include 3.13.0 to 3.13.2, 3.10.0 to 3.10.15, 3.11.0 to 3.11.13 and 3.12.0 to 3.12.7.
[7]
[8]
As GitHub explained in the release notes we’ve linked to above, the critical flaw affected GHES instances that use Security Assertion Markup Language (SAML) for single sign-on authentication. The SAML authentication allows specific identity providers (IdPs) that use publicly exposed and signed federation metadata XML. This could allow an attacker to forge a SAML response to gain administrator privileges on a compromised machine, thus giving an unauthorized party access to your organization's GitHub-hosted repos.
This vulnerability, along with two others addressed in version 3.13.3, were reported via the [9]GitHub Bug Bounty program .
[10]
The other two now-fixed flaws are both rated medium-severity.
[11]CVE-2024-7711 could allow an attacker to update the title, assignees and labels of any issue inside a public repository — public being the key word here. Private and internal repositories are not affected by this bug, which earned a 5.3 CVSS rating.
[12]CVE-2024-6337 is a 5.9-rated vulnerability that could allow an attacker to disclose the issue contents from a private repository using a GitHub App with only 'content: read' and 'pull_request_write: write' permissions.
[13]
This one can only be exploited with a user-access token, we're told. Installation access tokens are not affected.
[14]GitHub rolls back database change after breaking itself
[15]Who needs GitHub Copilot when you can roll your own AI code assistant at home
[16]110K domains targeted in 'sophisticated' AWS cloud extortion campaign
[17]Multiple flaws in Microsoft macOS apps unpatched despite potential risks
It's been a rocky couple of weeks for the collaborative coding colossus.
This security update comes about a week after GitHub [18]broke itself after rolling out an "erroneous" configuration change to all GitHub.com databases. This caused a global outage to several of its services, along with GitHub.com and the GitHub API.
Also last week, Palo Alto’s Unit 42 threat intelligence team found that a [19]bad combination of misconfigurations and security flaws can make GitHub Actions artifacts leak both GitHub and third-party cloud services tokens. ®
Get our [20]Tech Resources
[1] https://www.cve.org/cverecord?id=CVE-2024-6800
[2] https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3
[3] https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.16
[4] https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14
[5] https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://bounty.github.com/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.cve.org/cverecord?id=CVE-2024-7711
[12] https://www.cve.org/cverecord?id=CVE-2024-6337
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2024/08/14/github_rollback/
[15] https://www.theregister.com/2024/08/18/self_hosted_github_copilot/
[16] https://www.theregister.com/2024/08/21/aws_extortion_campaign/
[17] https://www.theregister.com/2024/08/19/cisco_talos_microsoft_macos/
[18] https://www.theregister.com/2024/08/14/github_rollback/
[19] https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
[20] https://whitepapers.theregister.com/