CVE-2017-18365
published 2019-03-28CVE-2017-18365: The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary…
PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
21.40%
97.3th percentile
The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github | github | — | — |
| github | github | >= 2.8.0 < 2.8.7 | 2.8.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →The session secret is hard-coded and present in GitHub Enterprise source code; any session cookie signed with this known static secret should be treated as suspicious and potentially malicious. ↗
- →Monitor HTTP requests to the GitHub Enterprise Management Console for inbound cookies containing serialized Ruby Marshal data (magic bytes \x04\x08), which would indicate an exploitation attempt. ↗
- →Unauthenticated requests to the Management Console endpoint carrying a session cookie should be flagged; exploitation requires no prior authentication. ↗
- →A Metasploit module exists for this vulnerability targeting GitHub Enterprise versions 2.8.0–2.8.6 via linux/http; presence of this module in use indicates active exploitation attempts. ↗
- ·The hard-coded session secret is embedded in the GitHub Enterprise product source code and is identical across all affected deployments (versions 2.8.0–2.8.6), making every instance equally vulnerable without any per-installation variation. ↗
- ·Exploitation was confirmed against version 2.8.0 specifically in the Metasploit module, though the vulnerability range spans 2.8.0 through 2.8.6. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cg2q-c8hj-pqc3: The Management Console in GitHub Enterprise 2
ghsa_unreviewed·2022-05-14
CVE-2017-18365 [CRITICAL] CWE-502 GHSA-cg2q-c8hj-pqc3: The Management Console in GitHub Enterprise 2
The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects.
VulnCheck
github github Deserialization of Untrusted Data
vulncheck·2017·CVSS 9.8
CVE-2017-18365 [CRITICAL] github github Deserialization of Untrusted Data
github github Deserialization of Untrusted Data
The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects.
Affected: github github
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.vulncheck.com/advisories/github-enterprise-managment-console-deserialization-rc
No detection rules found.
No writeups or analysis indexed.
2019-03-28
Published
Exploited in the wild