On May 21, 2024 GitHub disclosed a new authentication bypass flaw in their Enterprise Server. Encoded as CVE-2024-4985, it is so easy to exploit that it received the max CVSS rating of 10 right away. The developer already released the patches and potential mitigations for the flaw.
GitHub Discloses Enterprise Server Authentication Bypass Vulnerability
Later into May 21, GitHub developers released a note regarding the newly discovered vulnerability in Enterprise Server (GHES). That is a localized development and code managed solution that repeats the functionality of the cloud one. This in fact makes the vulnerability much more dangerous, but more on that later. Searches through ZoomEye search engine reports about over 70 thousand Enterprise Server instances around the world, with most of them being vulnerable.
The new CVE-2024-4985 flaw stems from the weakness in the SAML authentication mechanism, specifically in its optional encrypted assertion feature. It was discovered under GitHub’s Bug Bounty program. By crafting a response message of the SAML system, it is possible to make the system think that the authentication was done successfully, so it lets the adversary get in.
The potential outcomes of a successful attack are rather severe, which definitely makes up for the CVSS score of 10/10. Considering that Enterprise Server suggests a self-hosted instance of a GitHub code repository, getting access to it will also mean getting access to some of the internal network infrastructure. Repository access itself is a perfect ground for a supply chain attack, and by accessing the servers, hackers can deal damage to the company itself.
GitHub Releases Fixes For CVE-2024-4985
One more unfortunate detail about this flaw is that it impacts quite a few versions of GitHub Enterprise Server. The newest 3.13 version of GHES is safe, but all the versions prior to it are vulnerable. The developer released fixes for a selection of versions.
| GHES version | Fixed in |
|---|---|
| 3.12.3 and earlier | 3.12.4 |
| 3.11.9 and earlier | 3.11.10 |
| 3.10.11 and earlier | 3.10.12 |
| 3.9.14 and earlier | 3.9.15 |
| 3.8 and earlier | No fix available |
There is also a mitigation option, confirmed by GitHub – disabling the encrypted assertion features. The flawed component is not enabled by default, so the issue is non-existent for those who never enabled it. This mitigation will also be helpful for the users of versions prior to 3.8, which will not receive any updates.
