Critical SAML Exploit in GitHub Enterprise Server Fixed with Urgent Update
GitHub Fixes Critical Authentication Bypass Vulnerability in Enterprise Server
GitHub has addressed a maximum severity vulnerability, tracked as CVE-2024-4985, which threatened GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication. This critical flaw carried a CVSS v4 score of 10.0, indicating its potential for severe impact.
Vulnerability Overview
The authentication bypass vulnerability allowed threat actors to forge a SAML response, thereby gaining administrator privileges without needing any authentication. This would grant attackers unrestricted access to all contents of a GHES instance.
GHES and Its Users
GitHub Enterprise Server is a self-hosted version of GitHub, tailored for organizations that require their repositories to be stored on their own servers or private cloud environments. It caters to large enterprises, development teams needing greater control, entities handling sensitive data, and users requiring offline access.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Specifics of the Flaw
The vulnerability affected instances utilizing SAML SSO with encrypted assertions, an optional security feature designed to protect data against interception. As this is not a default setting, only instances with this feature enabled were at risk.
“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” GitHub explained.
Patches and Fixes
GitHub has released fixes in versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15 of GitHub Enterprise Server, all made available on May 20. Administrators are urged to update to these versions immediately to secure their instances.
Trending: 10 Misconceptions about Hacking
Trending: Digital Forensics Tool: dnstwist
Known Issues Post-Update
While the updates address the critical vulnerability, they come with several known issues:
- Custom firewall rules may be wiped.
- Configuration validation may show “No such object” errors for Notebook and Viewscreen services, which can be ignored.
- The Management Console root admin account may not unlock automatically after a lockout, requiring SSH access.
- TLS-enabled log forwarding may fail due to CA bundle issues.
- AWS instances might lose system time synchronization after a reboot.
- All client IPs might appear as 127.0.0.1 in audit logs when using the X-Forwarded-For header behind a load balancer.
- Large .adoc files may not render in the web UI but remain available as plaintext.
- Backup restoration using ghe-restore may fail if Redis hasn’t restarted properly.
- Repositories imported using ghe-migrator may not track Advanced Security contributions correctly.
- GitHub Actions workflows for GitHub Pages may fail, requiring specific SSH commands to fix (details provided in the bulletin).
Immediate Action Required
Despite the noted issues, it is crucial for users with the vulnerable configuration (SAML SSO with encrypted assertions) to update to the safe versions of GHES immediately. This proactive step is essential to mitigate the risk of exploitation and ensure the security of their systems.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
