Thousands of people in the US are at risk due to a critical vulnerability in GitHub Enterprise Server

Thousands of GitHub Enterprise Server (GHES) instances in the United States using SAML single sign-on (SSO) authentication are at high risk of being compromised due to a critical vulnerability that is currently available on the open internet as a proof of concept.

GitHub Enterprise Server, a self-hosted software development platform, runs as a standalone virtual appliance. Helps you build and deliver software using Git version control, powerful APIs, productivity and collaboration tools, and integrations. GHES is recommended for use in enterprises subject to regulatory compliance, which avoids the problems that arise from public cloud development platforms.

On Monday, GitHub rolled out patches to address a maximum severity vulnerability in GitHub Enterprise Server that could allow an attacker to bypass authentication security measures.

The critical vulnerability, identified as CVE-2024-4985, has the maximum possible severity rating on the CVSS scale because it allows attackers to gain unauthorized access to a target instance without requiring prior authentication.

“On instances using SAML single sign-on (SSO) authentication with the optional encrypted confirmation feature, an attacker could spoof the SAML response to share and/or gain access to a user with root privileges,” GitHub explained.

GitHub said that encrypted confirmations are not enabled by default. “This does not impact instances that do not use SAML SSO or use SAML SSO authentication without encrypted assertions,” he further added.

Encrypted assertions enhance the security of your GHES instance with SAML SSO by encrypting messages sent through the SAML Identity Provider (IdP).

GitHub noted that the critical vulnerability affects all versions of GHES prior to 3.13.0. This was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.

However, users upgrading to the latest update may encounter some issues. Known issues with this updated version include:

• Custom firewall rules are removed during the update process.
• During the configuration checking phase, a “No such object” error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should continue to start correctly.
• If a master site administrator is locked out of the Management Console after failed login attempts, the account will not be automatically unlocked after the specified lockout time. The person with SSH administrative access to the instance must unlock the account using the administrative shell.
• If the instance is configured to forward logs to a TLS-enabled target server, the certificate authority (CA) packages the packets sent by the site administrator using ghe-ssl-ca-certificate-install are not respected and connections to the server fail.
• The mbind: Operation not allowed, file error /var/log/mysql/mysql.err the file can be ignored. MySQL 8 doesn’t handle gracefully when file CAP_SYS_NICE this function is not required and displays an error instead of a warning.
• In an instance hosted on AWS, the system time may become out of sync with Amazon servers after the administrator restarts the instance.
• On an instance with the X-Forwarded-For HTTP header configured for use behind the load balancer, all client IP addresses incorrectly appear as 127.0.0.1 in the instance audit log.
• In some situations, big .add files stored in the repository are not rendered correctly in the web interface. The raw content can still be viewed in plain text.
• On an instance in a cluster configuration, restore a backup using ghe-bring back will terminate prematurely if Redis has not been restarted properly.
• In an instance with GitHub actions enabled, action workflows that deploy GitHub Pages may fail.

• Repositories originally imported using ghe-migrator will not properly track contributions to advanced security.

Thousands of people at risk after PoC goes public

ODIN, Cyble’s attack surface management and threat intelligence search engine, has discovered that nearly 3,000 Internet-exposed Github Enterprise Server instances are vulnerable to CVE-2024-4985.

Of these, the United States has the highest number (2.09K) of currently unpatched and vulnerable instances, followed by Ireland with 331 vulnerable instances.

ODIN customers can use the inquiry: Services.modules.http.title:”Github Enterprise” to track susceptible cases.

This bug of maximum severity needs to be patched urgently as the proof of concept is already available on GitHub itself. A GitHub user provided detailed guidance on the PoC exploit, so we can expect widespread exploitation of this vulnerability to happen soon, if not already.

Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for informational purposes only and users bear full responsibility for any reliance placed on it. Cyber ​​Express is not responsible for the accuracy or consequences of the use of this information.

Related