A critical authentication bypass vulnerability (CVE-2024-4985) was discovered in GitHub Enterprise Server (GHES), specifically when using the SAML single sign-on authentication method in conjunction with the optional encrypted assertions feature. This vulnerability enabled an attacker to forge a SAML response, thus providing and/or gaining them access to a user with site administrator privileges. Exploitation of this vulnerability would ultimately allow unauthorized access to the instance without requiring prior authentication. It is crucial to note that all versions of GHES prior to 3.13. were affected, but the issue has been fixed in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. The vulnerability was reported through the GitHub Bug Bounty program.
Exploit Details
This section breaks down the details of the vulnerability in the following stages: initiating the attack, forging the SAML response, and ultimately bypassing the authentication mechanisms.
Initiating the Attack
An attacker would begin by intercepting the base64-encoded SAML Authentication Request from the targeted GHES instance. This is typically done through a man-in-the-middle attack or other network intrusion methods.
Forging the SAML Response
Having intercepted the SAML Authentication Request, the attacker would then proceed to forge a SAML response. This involves crafting a malicious XML document that includes the necessary attributes to impersonate a legitimate user with site administrator privileges.
# Sample malicious SAML Response snippet
from lxml import etree
# create SAML Response
saml_response = etree.Element("samlp:Response", nsmap={"samlp": "urn:oasis:names:tc:SAML:2.:protocol"})
# create site admin user
user_element = etree.SubElement(saml_response, "saml:Attribute", Name="user", nsmap={"saml": "urn:oasis:names:tc:SAML:2.:assertion"})
user_value = etree.SubElement(user_element, "saml:AttributeValue")
user_value.text = "site_admin"
# forge SAML Response
forged_response = etree.tostring(saml_response, encoding='utf-8').decode('utf-8')
Bypassing Authentication
Once the attacker has successfully crafted the malicious SAML response, they would then send it to the targeted GHES instance with the intention of bypassing the authentication process and obtaining unauthorized access to the instance.
The following links provide additional information on CVE-2024-4985
1. GitHub Security Advisory - This advisory contains official information from GitHub regarding the vulnerability, affected versions, and fixed versions.
2. GitHub Bug Bounty Program - The official GitHub Bug Bounty program, through which the vulnerability was reported.
Conclusion
CVE-2024-4985 demonstrates the importance of thorough security testing and proper implementation of authentication mechanisms, particularly in the context of enterprise platforms like GHES. As a result of the Bug Bounty program report, GitHub took swift action to patch the vulnerability, ensuring the continued security of their platform. This serves as an example of the benefits of crowdsourced vulnerability disclosure processes and the power of collaboration in addressing security risks.
Timeline
Published on: 05/20/2024 22:15:08 UTC
Last modified on: 05/21/2024 12:37:59 UTC