GitHub has fastened a most severity (CVSS v4 rating: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) situations utilizing SAML single sign-on (SSO) authentication.
Exploiting the flaw would enable a menace actor to forge a SAML response and achieve administrator privileges, offering unrestricted entry to all of the occasion’s contents with out requiring any authentication.
GHES is a self-hosted model of GitHub designed for organizations that desire to retailer repositories on their very own servers or non-public cloud environments.
It caters to the wants of huge enterprises or growth groups that require larger management over their belongings, entities dealing with delicate or proprietary information, organizations with high-performance wants, and customers requiring offline entry capabilities.
The flaw, which was submitted to GitHub’s Bug Bounty program, solely impacts situations using Safety Assertion Markup Language (SAML) SSO with encrypted assertions. This non-obligatory function protects information in opposition to interception (man-in-the-middle assaults).
“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.” – GitHub.
As a result of encrypted assertions not being the default setting on GHES, CVE-2024-4986 solely impacts situations whose directors have enabled the safety function.
The vulnerability has been fastened in GHEL variations 3.12.4, 3.11.10, 3.10.12, and 3.9.15, all launched yesterday, on Might 20.
Identified points with the replace embrace:
- Customized firewall guidelines are wiped.
- “No such object” error throughout configuration validation for Pocket book and Viewscreen providers. (will be ignored)
- Administration Console root admin account doesn’t unlock routinely after lockout. (requires SSH entry to unlock)
- TLS-enabled log forwarding fails as CA bundles uploaded utilizing ghe-ssl-ca-certificate-install should not revered.
- The mbind: Operation not permitted error in MySQL logs will be ignored.
- AWS situations might lose system time synchronization after a reboot.
- All shopper IPs seem as 127.0.0.1 in audit logs when utilizing the X-Forwarded-For header behind a load balancer.
- Massive .adoc recordsdata might not render within the internet UI however can be found as plaintext.
- Backup restoration with ghe-restore might fail if Redis hasn’t restarted correctly.
- Repositories imported utilizing ghe-migrator don’t monitor Superior Safety contributions accurately.
- GitHub Actions workflows for GitHub Pages might fail; repair requires particular SSH instructions. (repair supplied within the bulletin)
Regardless of these points, these utilizing the weak configuration (SAML SSO + encrypted assertions) ought to instantly transfer to a protected GHEL model.
