Critical GitHub Enterprise Server Authentication Bypass bug. Fix it now!
May 22, 2024
GitHub addressed a vulnerability in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication.
GitHub has rolled out security fixes to address a critical authentication bypass issue, tracked as CVE-2024-4985 (CVSS score: 10.0), in the GitHub Enterprise Server (GHES).
GitHub Enterprise Server (GHES) is a self-hosted version of GitHub designed for use within organizations. It provides the full capabilities of GitHub, including source code management, version control, collaboration tools, and continuous integration and delivery (CI/CD), but allows organizations to host the platform on their own infrastructure. This setup is ideal for companies that require more control over their data, enhanced security, and customization to meet internal compliance and regulatory requirements.
The authentication bypass vulnerability impacts GHES when using SAML single sign-on with encrypted assertions. An attacker can trigger the issue to forge SAML responses, granting them site administrator privileges without prior authentication.
“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.” reads the advisory published by the company. “Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.”
The company pointed out that encrypted assertions are not enabled by default and that the vulnerability only affects installs using SAML single sign-on (SSO) or those that use SAML SSO authentication with encrypted assertions. Encrypted assertions are a security measure that allows encrypting the messages that the SAML identity provider (IdP) sends SAML SSO.
The vulnerability affected all GHES versions before 3.13.0 and was addressed with the release of versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. The issue was reported through the GitHub Bug Bounty program.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GitHub Enterprise Server)