CVE-2024-4985 | Github | UA
| Vulnerability | CVE-2024-4985 |
|---|---|
| Description | CVE-2024-4985 is a critical authentication bypass vulnerability in GitHub Enterprise Server (GHES) when utilizing SAML single sign-on (SSO) with the optional encrypted assertions feature. This flaw allows attackers to forge SAML responses, potentially gaining unauthorized access with site administrator privileges. (GitHub Advisory Database) |
| Affected Systems | GitHub Enterprise Server versions prior to 3.13.0. Patched versions include 3.9.15, 3.10.12, 3.11.10, and 3.12.4. (GitHub Advisory Database) |
| Attack Vector | Remote: Attackers can exploit this vulnerability by crafting malicious SAML responses and sending them to the GHES instance, bypassing authentication mechanisms. |
| Exploitation Techniques | - Forged SAML Responses: Attackers create malicious SAML responses that appear legitimate to the GHES instance, exploiting improper verification of cryptographic signatures. - Encrypted Assertions Abuse: The vulnerability specifically affects configurations using encrypted assertions, where the server fails to properly validate the authenticity of the decrypted content. - Privilege Escalation: By manipulating SAML responses, attackers can provision accounts with elevated privileges, including site administrator access. |
| The Impact of the Bug | - Unauthorized access to GHES instances without prior authentication. - Potential compromise of repository data, including code and sensitive information. - Elevated risk of further attacks due to administrative access, such as user account manipulation and configuration changes. |
| How to Detect Infections | - Audit Logs: Review GHES audit logs for unusual login activities, especially successful logins without corresponding SAML authentication events. - SAML Response Analysis: Inspect SAML responses for anomalies, such as unexpected issuers or assertion attributes. - Network Monitoring: Monitor for suspicious network traffic patterns indicative of exploitation attempts. |
| Mitigation Steps | - Apply Patches: Update GHES to the latest patched versions (3.9.15, 3.10.12, 3.11.10, 3.12.4, or 3.13.0 and above). - Review SAML Configurations: Ensure that SAML SSO settings are correctly configured and that only trusted identity providers are used. - Monitor Access Logs: Continuously monitor access logs for signs of unauthorized access and respond promptly to any anomalies. |
| References | - GitHub Advisory Database - CVE-2024-4985 - ProjectDiscovery Blog - GitHub Enterprise SAML Authentication Bypass - The Hacker News - Critical GitHub Enterprise Server Flaw Allows Authentication Bypass |