Thousands of GitHub Enterprise Server (GHES) instances in the United States are facing a critical vulnerability that could potentially compromise their SAML single sign-on (SSO) authentication. This vulnerability poses a significant risk to these instances, as a proof-of-concept exploit for the flaw is now available on the open internet.
GitHub Enterprise Server is a vital platform for software development, providing a self-contained virtual appliance for building and shipping software using Git version control, powerful APIs, collaboration tools, and integrations. It is a preferred choice for enterprises subject to regulatory compliance, offering a secure alternative to public cloud-based development platforms.
GitHub took prompt action by releasing fixes on Monday to address the maximum severity vulnerability in the GitHub Enterprise Server. This particular flaw, identified as CVE-2024-4985, received the highest severity rating on the CVSS scale due to its potential to allow attackers to bypass authentication protections and gain unauthorized access to targeted instances.
The vulnerability specifically impacts instances using SAML single sign-on (SSO) authentication with encrypted assertions enabled. Attackers could exploit this flaw by forging a SAML response to provision and/or access a user with administrator privileges. However, GitHub clarified that instances not using SAML SSO or SAML SSO without encrypted assertions are not affected by this vulnerability.
Encrypted assertions enhance the security of GHES instances utilizing SAML SSO by encrypting the messages exchanged between a SAML identity provider (IdP) and the server.
GitHub emphasized that the critical vulnerability affects all versions of GHES released before 3.13.0, but it has been remedied in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. However, users upgrading to the latest patch may encounter some issues, including removal of custom firewall rules, errors during the validation phase of the configuration run, and prolonged account lockout periods for the root site administrator.
ODIN, a specialized Internet search engine for attack surface management and threat intelligence by Cyble, identified nearly 3,000 instances of vulnerable GitHub Enterprise Server exposed to the internet. Among these, the majority of unpatched instances, totaling 2.09k, are located in the U.S., followed by Ireland with 331 vulnerable instances. ODIN’s customers can use a specific query to track these vulnerable instances for remediation.
The urgency for addressing this critical bug has been underscored by the availability of a proof-of-concept exploit on GitHub itself. A GitHub user has provided a detailed guide on exploiting the vulnerability, raising concerns about potential widespread exploitation unless remedial actions are promptly taken.
In conclusion, the critical vulnerability in GitHub Enterprise Server highlights the importance of prompt security patching and proactive risk mitigation measures to safeguard sensitive data and systems from potential cyber threats. Vigilance and rapid response to such vulnerabilities are essential in maintaining the security and integrity of software development platforms in enterprise environments.