www.belgium.be Logo of the federal government

Warning: Github Enterprise Server Has an Authentication Bypass When Using SAML SSO

Reference: 
Advisory #2024-70
Version: 
1.0
Affected software: 
GitHub Enterprise Server (GHES) <3.13.0
Type: 
CWE-303 - Incorrect Implementation of Authentication Algorithm
CVE/CVSS: 

CVE-2024-4985:CVSS10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:U/V:C/RE:M/U:Red)

Sources

https://github.com/advisories/GHSA-5pw9-f9r4-mv2r

Risks

An authentication bypass vulnerability, CVE-2024-4985, was present in all version of GitHub Enterprise Server prior to 3.13.0. Successful exploitation allows an attacker unauthorized access to the instance without prior authentication and has a high impact on confidentiality, integrity and availability.

Description

The vulnerability, CVE-2024-4985, with a CVSS score of 10 in the GitHub Enterprise Server (GHES) affects the SAML single sign-on authentication method with the optional encrypted assertions feature. Other authentication methods are unaffected. It can be exploited by forging a SAML response to provision and gain site administrator privileges.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The vulnerability was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-4985