Critical vulnerability in GitHub Enterprise Server enables access for attackers
Take action: If you are running GitHub enterprise server, this is an urgent patch. Even though SAML may not be used, the endpoint is still visible and can be abused since the server will accept any assertion. You can use SAML certificate pinning as a temporary mitigation measure. Also make sure to check logs and if anything is suspicious start resetting passwords and SSH keys (and patch the server).
Learn More
A critical vulnerability has been identified in GitHub Enterprise Server, potentially allowing attackers to bypass authentication and access repositories and sensitive data without authorization.
The flaw, tracked as CVE-2024-4985 (CVSS score 9.8) resides in the SAML SSO (Security Assertion Markup Language Single Sign-On) authentication process. It allows an attacker to send a specially crafted SAML response that the server will accept even if the digital signature is invalid. This enables the attacker to impersonate any user, including administrators, thereby gaining access to their private repositories and data.
While the server checks that a SAML response is digitally signed, it fails to verify that the signature is valid and matches the identity provider’s certificate. Consequently, attackers can craft SAML assertions using any certificate to gain access.
This vulnerability affects versions:
- 3.9.14,
- 3.10.11,
- 3.11.9,
- 3.12.3.
It has been fixed in GitHub Enterprise server versions:
Users are advised to update GitHub Enterprise Server to versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4 or newer. If immediate upgrading is not possible, enable SAML certificate pinning as a temporary mitigation measure.
Users should also check access logs for suspicious authentication activities from unknown IP addresses. If any suspicious activity is detected, users should rotate all credentials and SSH keys.
