Critical Vulnerability in GitHub Enterprise Server Puts Thousands of Instances at Risk
Thousands of GitHub Enterprise Server (GHES) instances in the United States using SAML single sign-on (SSO) authentication are at high risk of compromise from a critical vulnerability that now has a proof-of-concept exploit available on the open internet.
GitHub Enterprise Server, a self-hosted platform for software development, acts as a self-contained virtual appliance. It helps build and ship software using Git version control, powerful APIs, productivity and collaboration tools, and integrations. GHES is recommended for use in enterprises that are subject to regulatory compliance, which helps to avoid issues that arise from software development platforms in the public cloud.
GitHub rolled out fixes on Monday to address a maximum severity vulnerability in the GitHub Enterprise Server that could allow an attacker to bypass authentication protections.
The critical flaw, tracked as CVE-2024-4985, has the maximum severity rating possible on the CVSS scale since it allowed attackers unauthorized access to the targeted instance without requiring prior authentication.
“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” GitHub explained.
GitHub said that encrypted assertions are not enabled by default. “Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted,” it further added.
Encrypted assertions improve GHES instance’s security with SAML SSO by encrypting the messages that an SAML identity provider (IdP) sends.
GitHub noted that the critical vulnerability impacts all versions of GHES prior to 3.13.0. It has been fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.
ODIN, an Internet search engine by Cyble for attack surface management and threat intelligence, found that nearly 3,000 instances of Github Enterprise Server exposed to the internet are vulnerable to CVE-2024-4985.
Of these, the most number of instances (2.09k) that are currently unpatched and at risk of being exploited are from the U.S., who is distantly followed by Ireland which has 331 vulnerable instances.
This maximum severity bug needs urgent patching as a proof-of-concept is now available on GitHub itself. The GitHub user has given a step-by-step guidance on the PoC exploit owing to which widespread exploitation could be expected soon, if not already taking place.