How to fix CVE-2024-4985 in GitHub Enterprise Server

GitHub recently disclosed a severe vulnerability affecting its GitHub Enterprise Server (GHES), assigned the highest possible CVSS score of 10.0.

This vulnerability, identified as CVE-2024-4985, poses a significant threat to organizations utilizing GHES. Here’s what you need to know about this critical security issue, its potential impact, and how to protect your systems

TL;DR

What is CVE-2024-4985?

CVE-2024-4985 is a critical authentication bypass vulnerability in GitHub Enterprise Server, a self-hosted version of GitHub designed for organizations. This vulnerability, discovered through GitHub’s Bug Bounty program, has a maximum CVSS score of 10.0, indicating its high severity. 

The flaw lies within the encrypted assertions feature of the SAML Single Sign-On (SSO) mechanism used by GHES. Although this feature is meant to enhance security by encrypting SAML assertions, it inadvertently introduced a critical vulnerability.

Attackers can exploit this flaw by forging SAML responses, allowing them to impersonate legitimate users, including those with administrative privileges.

Encrypted assertions allow site administrators to improve a GHES instance’s security with SAML SSO by encrypting the messages that the SAML identity provider (IdP) sends during the authentication process. 

Does CVE-2024-4985 affect me?

CVE-2024-4985 specifically affects instances of GitHub Enterprise Server where SAML SSO is configured with encrypted assertions.

This is not the default configuration, so only those deployments that have enabled this feature are vulnerable. If your GHES deployment does not use encrypted SAML assertions, this vulnerability does not impact you. 

However, the potential impact of this vulnerability is substantial for those affected.

Exploitation could lead to theft of sensitive source code, breaches of confidential data, and major disruptions to development operations, posing significant risks to the security and integrity of the organization. 

A search using ZoomEye has identified over 76,000 potentially exposed GHES instances, predominantly in the United States, Japan, and Ireland, highlighting the extensive potential attack surface. 

Has CVE-2024-4985 been actively exploited in the wild?

As of now, there have been no confirmed reports of CVE-2024-4985 being actively exploited in the wild. However, given the critical nature of this vulnerability and the large number of potentially exposed instances, the risk of exploitation remains high.

Organizations using vulnerable GHES configurations should prioritize mitigation to prevent potential attacks. 

How to fix CVE-2024-4985

GitHub has promptly released patches to address CVE-2024-4985. The following versions of GitHub Enterprise Server have received critical updates: 

• 3.9.15 
• 3.10.12 
• 3.11.10 
• 3.12.4 

Administrators are strongly advised to apply these updates immediately to secure their systems against this vulnerability.

Keeping your software up to date is a crucial step in maintaining your organization’s security posture. The issue impacts all versions of GHES prior to 3.13.0 and has been addressed in versions 3.9.15.

In addition to applying the patches, it’s essential to stay informed about cybersecurity trends and respond swiftly to new vulnerabilities.

To protect your digital assets, make sure to provide continuous monitoring, timely threat alerts, and the enabling of effective preemptive actions. 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. 2023 Vulnerability watch reports 
2. The MITRE ATT&CK framework: Getting started
3. The true impact of exploitable vulnerabilities for 2024
4. Multi-cloud security challenges – a best practice guide
5. How to properly tackle zero-day threats