Critical Authentication Bypass Vulnerability Found in GitHub Enterprise Server

GitHub has disclosed a severe security vulnerability (CVE-2024-4985) in its GitHub Enterprise Server (GHES) that allows attackers to bypass authentication and access sensitive repositories. Rated 10.0 on the CVSS, this flaw could lead to major security breaches if not patched immediately.

Flaw discovery and details

GitHub Enterprise Server (GHES), the self-hosted version of GitHub Enterprise, is designed for businesses that need a secure, customizable environment for source code management. A critical flaw (CVE-2024-4985) has been found in the optional encrypted assertions feature of the SAML single sign-on (SSO) authentication mechanism. This flaw allows an attacker to forge a SAML response, impersonate a legitimate user, and gain unauthorized access, potentially with administrator privileges.

This vulnerability was discovered through GitHub's Bug Bounty program, emphasizing the importance of community involvement in identifying and mitigating security risks. The issue affects only those GHES instances where SAML SSO with encrypted assertions is enabled, which is not the default configuration.

Exploitation of CVE-2024-4985 enables attackers to bypass authentication by forging a SAML response.

This can lead to the following risks:

• Unauthorized access to sensitive code repositories.
• Data breaches.
• Disruption of development operations.
• Potentially provisioning accounts with site administrator privileges.

Given the high CVSS rating of 10, the impact of this vulnerability is significant, warranting immediate attention from administrators of affected systems.

GitHub's response

GitHub has responded promptly by releasing patches for the following GHES versions: 3.9.15, 3.10.12, 3.11.10, and 3.12.4. Administrators are urged to update their installations without delay to mitigate the risk of exploitation.

Known issues with the update include:

• Custom firewall rules removal during the upgrade.
• No such object error in Notebook and Viewscreen services, which can be ignored.
• Root site administrator lockout requiring administrative SSH access for unlocking.
• Issues with certificate authority bundles in TLS-enabled log forwarding.
• Various performance and operational impacts, particularly related to MySQL upgrades.

GitHub provides detailed instructions on configuring SAML single sign-on and enabling encrypted assertions to assist administrators in securing their systems effectively.

Administrators using GHES with SAML SSO and encrypted assertions must apply the latest patches immediately. For those not using this configuration, it is still crucial to review security settings and update to the latest version to benefit from other security, performance, and bug fixes.

For more detailed information, refer to GitHub's security advisories and the specific patch notes for each version (3.9.15, 3.10.12, 3.11.10, and 3.12.4).