Warning: Github Enterprise Server Has an Authentication Bypass When Using SAML SSO
CVE-2024-4985:CVSS10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:U/V:C/RE:M/U:Red)
Sources
https://github.com/advisories/GHSA-5pw9-f9r4-mv2r
Risks
An authentication bypass vulnerability, CVE-2024-4985, was present in all version of GitHub Enterprise Server prior to 3.13.0. Successful exploitation allows an attacker unauthorized access to the instance without prior authentication and has a high impact on confidentiality, integrity and availability.
Description
The vulnerability, CVE-2024-4985, with a CVSS score of 10 in the GitHub Enterprise Server (GHES) affects the SAML single sign-on authentication method with the optional encrypted assertions feature. Other authentication methods are unaffected. It can be exploited by forging a SAML response to provision and gain site administrator privileges.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The vulnerability was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.