GitHub’s latest Enterprise Server update fixes a critical vulnerability that allows authentication bypass for on-premise deployments, according to the company.
The bug — CVE-2024-9487 — impacts GitHub’s enterprise product and does not affect its software-as-a-service products, according to the company’s release. The Microsoft-owned company said the bug, which is a 9.5 on the CVSS scale, would allow hackers to bypass a method typically used by companies to verify employee identities using single sign-on called Security Assertion Markup Language (SAML).
Chris Hatter, chief technology officer of the application security company Qwiet.Ai, called the vulnerability “severe” and said that organizations should ensure they understand their relevant network architectures.
Hatter said companies should block any “routes to this access” and ensure that they have “telemetry to be able to understand who is accessing these resources by whom and from where.”
Hatter said a typical attack would likely require a malicious actor to already have access to internal networks in order to use the vulnerability. He cautioned that some organizations might publish Enterprise Servers to the open internet, but it would be unusual.
The bug forges the authentication request that identity providers use to verify a person is signing onto an approved service. Most people have multiple identities for work — a recent report from Push Security noted that companies have on average 15 identities per employee — and SAML SSOs help organizations manage authorization and access.
Hatter said GitHub Enterprise Servers could be a “treasure trove of information” for hackers. Accessed instances could include “source code, architectural documents, information about developers,” which could be useful for espionage, social engineering attacks, and IP theft, among other acts.
“If you have access to the source code and you have administrative privileges into the source code management systems, theoretically you could start to manipulate that source code and implement a back door,” Hatter said.
GitHub’s latest update fixes a regression of CVE-2024-4985, a vulnerability with a 10.0 CVSS score that was first patched by GitHub in May.
The Oct. 6 update had two other security fixes: a bug in SVG assets that allows for possible metadata retrieval — CVE-2024-9539 — and a functionality from the management console that could allow sensitive data exposure in HTML forms was removed.