Introduction
GitHub has issued critical security updates for its Enterprise Server (GHES) to address multiple vulnerabilities [5] [6], including a severe flaw that could allow unauthorized access. These updates are crucial for maintaining the security and integrity of systems using GHES.
Description
GitHub has released critical security updates for its Enterprise Server (GHES) to address three vulnerabilities [5] [6], including a significant flaw identified as CVE-2024-9487 [7], which has a CVSS score of 9.5 out of 10. This vulnerability in cryptographic signature verification allows attackers to bypass Security Assertion Markup Language (SAML) single sign-on (SSO) authentication, particularly when the optional Encrypted Assertions feature is enabled [7]. Exploiting this flaw requires direct network access and a signed SAML response or metadata document [7], potentially leading to unauthorized user provisioning and access for individuals with site administrator privileges without prior authentication. Notably, CVE-2024-9487 was introduced as a regression while addressing a previously patched vulnerability [6], CVE-2024-4985 [1] [2] [3] [4] [5] [6] [7] [8], which had a maximum severity score of 10.0.
In addition to CVE-2024-9487 [2] [7], GitHub has addressed a second medium severity vulnerability, CVE-2024-9539 [4] [5] [6] [7], which has a CVSS score of 5.7 [5]. This vulnerability involves malicious URLs in SVG assets that can trick users into clicking and potentially expose sensitive data. Furthermore, GitHub resolved a sensitive data exposure issue in the management console by removing the “Copy Storage Setting from Actions” feature [7]. Both vulnerabilities affect all versions of GitHub Enterprise Server prior to 3.15 [2] [3], including 3.11.16, 3.12.10, 3.13.5 [1] [3] [4], and 3.14.2 [1] [3] [4] [7]. Organizations using vulnerable self-hosted versions of GHES are strongly urged to update to the latest secured versions [5], as older versions are no longer supported and will not receive future security updates [4].
It is crucial for these organizations to verify their SAML configurations, secure encrypted assertions [2] [3] [4] [6], and implement monitoring to detect unauthorized access [6]. Regular audits of user access can help identify suspicious activity and enhance overall security. Instances not utilizing SAML SSO or those using SAML SSO without encrypted assertions are not impacted by CVE-2024-9487 [3].
The impact of CVE-2024-9487 is significant [6], as unauthorized access can lead to data breaches [6], unauthorized changes to source code [6] [8], and exposure of intellectual property [6]. If attackers gain access to source code with administrative privileges [8], they could manipulate it and introduce backdoors [8], facilitating espionage and social engineering [8]. GitHub emphasizes the importance of upgrading to prevent such risks [6], highlighting that regular updates, vigilant monitoring [6], and robust security practices are essential for minimizing vulnerabilities and protecting digital assets [6]. Currently, GitHub is not aware of any widespread exploitation of this vulnerability [3], but organizations are encouraged to remain proactive in their security measures, particularly by securing their network architectures and monitoring access to prevent potential exploitation [8]. With over 81,000 instances of GitHub Enterprise Server exposed on the internet [7], primarily in the United States [7], timely updates are essential to protect sensitive data and reduce the attack surface [7].
Conclusion
The vulnerabilities addressed by GitHub’s updates underscore the critical need for organizations to maintain up-to-date security measures. The potential impacts of these vulnerabilities, particularly CVE-2024-9487, include unauthorized access and data breaches [6], which could have severe consequences for affected organizations. To mitigate these risks [2] [4] [5], organizations must ensure their systems are updated, verify SAML configurations [6], and implement robust monitoring and auditing practices. Proactive security measures are essential to safeguard digital assets and prevent exploitation, especially given the widespread exposure of GHES instances.
References
[1] https://thenimblenerd.com/article/githubs-latest-flaw-fix-patch-now-or-risk-unauthorized-access/
[2] https://www.hendryadrian.com/github-enterprise-server-patches-critical-security-flaw-cve-2024-9487-cvss-9-5/
[3] https://securityaffairs.com/169873/security/github-addressed-ctitical-flaw-in-enterprise-server.html
[4] https://www.heise.de/en/news/Github-Enterprise-Server-Attackers-can-bypass-authentication-9982935.html
[5] https://thehackernews.com/2024/10/github-patches-critical-flaw-in.html
[6] https://vulert.com/blog/github-patches-critical-flaw/
[7] https://socradar.io/critical-vulnerabilities-affecting-github-enterprise-server-kubernetes-image-builder-and-givewp-plugin/
[8] https://cyberscoop.com/github-enterprise-vulnerability-sso-saml/