CVE-2024-6800: A critical authentication bypass vulnerability affects the GitHub Enterprise Server

HawkEye CSOC Kuwait

Background

Concerns have been raised by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) over the potential exploitation of a serious vulnerability in SolarWinds’ Web Help Desk solution that was just patched. Large enterprises, government agencies, and organizations in the healthcare and education sectors frequently utilize this software to manage help desk tasks.

A hotfix for CVE-2024-28986, a critical Remote Code Execution (RCE) vulnerability impacting the Web Help Desk (WHD), was made available by SolarWinds on August 13, 2024. WHD is a popular IT service management tool used for tracking and managing support issues in a variety of sectors. A Java deserialization bug is the source of this vulnerability, which could allow a remote attacker to run arbitrary code on vulnerable devices.

Although the vulnerability was first discovered by SolarWinds as an unauthenticated issue, the company claimed that throughout testing, they were unable to replicate it.

Additionally, the company stated that if SAML Single Sign-On (SSO) is being used, the hotfix should not be applied. The issue will soon have a new fix available. Administrators should upgrade vulnerable servers to Web Help Desk 12.8.3.1813 before applying the hotfix, according to a support post released by SolarWinds that includes comprehensive instructions on how to do so. To prevent potential problems if the hotfix deployment fails or is not deployed successfully, it was also advised to make backups of the original files before replacing them during the installation process.

Following the Binding Operational Directive (BOD), CISA added CVE-2024-28986 to its list of known exploited vulnerabilities (KEVs), requiring federal agencies to patch their WHD servers by September 5 at the latest.

CVE-2024-6800:

A critical vulnerability in the GitHub Enterprise Server that allows for authentication bypass (CVE-2024-6800) was patched by GitHub on August 20, 2024. A self-hosted version of GitHub called GitHub Enterprise Server lets businesses securely manage and collaborate on code inside of their own infrastructure. This issue affects instances that use publicly published signed federation metadata XML and SAML single sign-on (SSO) with particular identity providers (IdPs). By assuming the identity of a SAML response to provision or gaining unauthorized access to a site administrator account, an attacker may make use of this vulnerability. With a CVSS score of 9.5, CVE-2024-6800 has been rated as a critical severity.

CVE-2024-6337:

Upon successful exploitation, an attacker might use a GitHub App with only “contents: read” and “pull requests: write” permissions to reveal the contents of a private repository containing the vulnerability. User access tokens can be used to exploit the issue; installation access tokens are not impacted.

CVE-2024-7711:

An attacker might alter any issue’s title, assignees, and labels inside a public repository upon successful exploitation. Public repositories are susceptible to exploits; private and internal repositories are not.

Recommendations:

We strongly recommend that customers upgrade to the latest fixed version. 

Product Affected Version Fixed Version 
GitHub Enterprise Server Versions prior to 3.13.3, 3.12.8, 3.11.14, and 3.10.16 Any of the following: 

 


GitHub has issued a warning, stating that while errors can surface during configuration following the application of security updates, the instance is expected to start without any problems. 

To prevent any operational impact, kindly adhere to your organization’s patching and testing policies.

References

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment