CVE-2024-9487: Critical Vulnerability Affecting GitHub Enterprise Server
Background
The most recent GitHub Enterprise Server (GHES) security update fixes three recently found vulnerabilities, one of which is a critical one that might permit unauthorized users to access the platform. The potential hazards these vulnerabilities offer for enterprises employing self-hosted versions of GHES have prompted worries, and they were discovered through GitHub’s Bug Bounty program.
Even though GitHub has already released fixes for these vulnerabilities, it is crucial that organizations comprehend the ramifications of the vulnerabilites and make sure they are updated in a timely manner to safeguard their systems.
CVE-2024-9487:
A critical vulnerability in GitHub Enterprise Server (GHES) CVE-2024-9487 (CVSS 9.5) allows attackers to go around SAML Single Sign-On (SSO) authentication if the optional encrypted assertions functionality is enabled. Because the SAML authentication mechanism does not properly verify cryptographic signatures, this vulnerability permits unauthorized user provisioning and system access.
It’s crucial to emphasize that encrypted assertions are not enabled by default. In order to take use of this vulnerability, an attacker would also need direct network access along with a signed SAML answer or metadata document.
Regression from the remedial attempts for CVE-2024-4985, a previous authentication bypass vulnerability with a CVSS score of 9.8, resulted in the emergence of this vulnerability.
Apart from CVE-2024-9487, there was also a discussion of CVE-2024-9539 (CVSS 5.7). An attacker could obtain metadata using this lower-severity vulnerability by luring victims into clicking on malicious URLs connected to SVG assets. Additionally, by disabling the “Copy Storage Setting from Actions” feature in the management console, GitHub fixed a problem with sensitive data disclosure in HTML forms.
Recommendations
Versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16 of GitHub Enterprise Server (GHES) have fixed all of the most recent security flaws, including CVE-2024-9487 and CVE-2024-9539. To safeguard their systems, organizations that use self-hosted versions that are vulnerable should update right away.
GitHub suggests taking the following precautions to be secure from potential risks going forward:
- Use secrets sparingly: Use discretion when adding secrets to your workflows. Make sure they are encrypted.
- Verify Inputs: To avoid unwanted activities, make sure the input parameters used in workflows are always verified.
- Limit Access: Adhere to the least privilege principle and only grant the minimal amount of access necessary to carry out workflows.
- Frequent Audits: Check workflows on a regular basis for any vulnerabilities or anomalies that might point to a compromise.