A critical vulnerability in the GitHub Enterprise Server (GHES), a self-hosted version of GitHub, has been discovered. It lets attackers bypass authentication measures on vulnerable instances and gain unrestricted admin access.
The vulnerability is registered as CVE-2024-4985 and reached the highest severity level with a maximum possible CVSS score of 10. All GHES versions prior to 3.13.0 are affected.
For the vulnerability to be exploited, authentication via SAML Single Sign-On (SSO) must be activated on the respective target instance, together with the optional Encrypted Assertions function.
The vulnerability arose due to GHES inadequately validating and verifying encrypted SAML assertions. This weak validation allowed attackers to forge SAML responses and bypass authentication, allowing them to gain unauthorized access, potentially with administrator privileges.
GitHub emphasized that encrypted assertions are not enabled by default. As a result, the vulnerability only affects those servers on which the responsible administrator has enabled the function themselves. “Instances that do not use SAML SSO or use SAML SSO authentication without encrypted assertions are not affected,” the developer noted.
Vulnerabilities Persist on Trusted Platforms
Jason Soroko, senior vice president of product at Sectigo, said the GHES vulnerability illustrates that even widely used and trusted platforms can have critical security flaws.
“Regular updates and patches are crucial as they often include fixes for such vulnerabilities,” Soroko said. “Staying up to date ensures that organizations are protected against known threats and can mitigate potential exploits before attackers leverage them.”
This proactive approach is essential to maintaining the integrity and security of enterprise environments. “When configuring SAML SSOorganizations must assess the security risks of optional features like encrypted assertions,” Soroko explained.
Properly configuring and reviewing settings, managing encryption keys, and monitoring SSO activities for unauthorized access are critical. Soroko added that SSO implementations should be regularly updated and patched to address vulnerabilities.
The vulnerability is trivial to exploit, pointed out David Brumley, CEO of ForAllSecure, and it works remotely for anyone who can connect to a GitHub server. “If an organization can’t update today, they immediately need to lock down their network security and pay close attention to auditing who is using the vulnerable version,” he advised.
Considering the impact on authentication mechanisms like SAML SSOevery organization should focus on the basics. “Proactively search and squash vulnerabilities, built-in update and audit for when things go wrong, and a recovery plan,” Brumley explained. “This vulnerability highlights the importance of API security, which should now be part of every organization’s toolbox.”
As Brumley noted, legacy web security tools are inappropriate here; web security crawls webpages, while the real work is done in the backend APIs. “GitHub is an enterprise product, making it more critical to keep up to date,” he said. “In addition to keeping it up to date, keeping the server protected behind a zero-trust network will help add defense in depth.”
Anything with CVSS 10 should trigger two immediate responses: an audit to determine whether the organization has been compromised and an upgrade of any vulnerable servers. “Organizations must be able to do both at any time,” Brumley said. You need to have an incident response team and a plan.”
Expect authentication bypass vulnerabilities to become more complex and sophisticated with AI-driven attacks and a never-ending stream of novel zero-day exploits, Soroko said. “To stay ahead, organizations must align with NIST CSF 2.0 and enforce strong governance practices.”
This means investing in advanced threat detection, regularly updating security protocols, fostering cybersecurity awareness and establishing clear governance policies for accountability and continuous monitoring.
Photo by S N Pattenden on Unsplash
Recent Articles By Author
GIPHY App Key not set. Please check settings