Contents:
An authentication bypass vulnerability of maximum severity (CVSS V4 Score: 10.0) tracked as CVE-2024-4985 was recently fixed by GitHub. The vulnerability impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication.
What to Know About the Vulnerability
By taking advantage of the vulnerability, a threat actor might spoof a SAML response and obtain administrator rights, giving them complete access to the instance’s contents without the need for authentication.
GHES is a self-hosted version of GitHub made for organizations that prefer to store repositories on their own servers or other private cloud environments instead of the main GitHub servers.
It meets the demands of development teams or major firms that need more control over their assets; entities that handle confidential or private data; companies that need high performance; and users who need offline access.
The vulnerability only affects instances using Security Assertion Markup Language (SAML) SSO with encrypted assertions and was reported to GitHub’s Bug Bounty program. Data is shielded against interception (man-in-the-middle attacks) via this optional feature.
On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.
GitHub on the Vulnerability
The vulnerability is now fixed in GHEL versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15, all release on May 20th so be fast and patch your endpoints.
Known issues with the update include:
- Custom firewall rules are wiped;
- “No such object” error during configuration validation for Notebook and Viewscreen services. (can be ignored);
- Management Console root admin account does not unlock automatically after lockout (and requires SSH access to unlock);
- TLS-enabled log forwarding fails as CA bundles uploaded using ghe-ssl-ca-certificate-install are not respected;
- The mbind: Operation not permitted error in MySQL logs can be ignored;
- AWS instances may lose system time synchronization after a reboot;
- All client IPs appear as 127.0.0.1 in audit logs when using the X-Forwarded-For header behind a load balancer;
- Large .adoc files may not render in the web UI but are available as plaintext;
- Backup restoration with ghe-restore may fail if Redis hasn’t restarted properly;
- Repositories imported using ghe-migrator do not track Advanced Security contributions correctly;
- GitHub Actions workflows for GitHub Pages may fail; fix requires specific SSH commands. (fix provided in the bulletin).
If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.