Thousands of GitHub Enterprise Server (GHES) instances in the United States using SAML single sign-on (SSO) authentication are at high risk of compromise from a critical vulnerability that now has a proof-of-concept exploit available on the open internet.
GitHub Enterprise Server, a self-hosted platform for software development, acts as a self-contained virtual appliance. It helps build and ship software using Git version control, powerful APIs, productivity and collaboration tools, and integrations. GHES is recommended for use in enterprises that are subject to regulatory compliance, which helps to avoid issues that arise from software development platforms in the public cloud.
GitHub rolled out fixes on Monday to address a maximum severity vulnerability in the GitHub Enterprise Server that could allow an attacker to bypass authentication protections.
The critical flaw, tracked as CVE-2024-4985, has the maximum severity rating possible on the CVSS scale since it allowed attackers unauthorized access to the targeted instance without requiring prior authentication.
“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” GitHub explained.
GitHub said that encrypted assertions are not enabled by default. “Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted,” it further added.
Encrypted assertions improve GHES instance’s security with SAML SSO by encrypting the messages that an SAML identity provider (IdP) sends.
GitHub noted that the critical vulnerability impacts all versions of GHES prior to 3.13.0. It has been fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.
The users upgrading to the latest patch could, however, face some issues. Known issues with this updated version are:
- Custom firewall rules are removed during the upgrade process.
- During the validation phase of a configuration run, a “No such object” error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell.
- If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using
ghe-ssl-ca-certificate-install
are not respected, and connections to the server fail. - The
mbind
: Operation not permitted error in the/var/log/mysql/mysql.err
file can be ignored. MySQL 8 does not gracefully handle when theCAP_SYS_NICE
capability isn’t required, and outputs an error instead of a warning. - On an instance hosted in AWS, system time may lose synchronization with Amazon’s servers after an administrator reboots the instance.
- On an instance with the HTTP X-Forwarded-For header configured for use behind a load balancer, all client IP addresses in the instance’s audit log erroneously appear as 127.0.0.1.
- In some situations, large
.adoc
files stored in a repository do not render properly in the web UI. The raw contents are still available to view as plaintext. - On an instance in a cluster configuration, restoration of a backup using
ghe-restore
will exit prematurely if Redis has not restarted properly. - On an instance with GitHub Actions enabled, Actions workflows that deploy GitHub Pages sites may fail.
- Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
Thousands at Risk as PoC Goes Public
ODIN, an Internet search engine by Cyble for attack surface management and threat intelligence, found that nearly 3,000 instances of Github Enterprise Server exposed to the internet are vulnerable to CVE-2024-4985.
Of these, the most number of instances (2.09k) that are currently unpatched and at risk of being exploited are from the U.S., who is distantly followed by Ireland which has 331 vulnerable instances.
ODIN’s customers can use the query: services.modules.http.title:"Github Enterprise"
to track the vulnerable instances.
This maximum severity bug needs urgent patching as a proof-of-concept is now available on GitHub itself. The GitHub user has given a step-by-step guidance on the PoC exploit owing to which widespread exploitation could be expected soon, if not already taking place.
Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.