CVE-2024-9487
📋 TL;DR
This vulnerability allows attackers to bypass SAML SSO authentication in GitHub Enterprise Server by exploiting improper cryptographic signature verification. Attackers can provision unauthorized users and gain access to the instance. All GitHub Enterprise Server versions prior to 3.15 are affected when encrypted assertions feature is enabled.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of GitHub Enterprise Server instance with unauthorized user creation, data exfiltration, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to the GitHub instance leading to source code theft, repository manipulation, and privilege escalation within the platform.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still potential for unauthorized access if exploited.
🎯 Exploit Status
Exploitation requires direct network access and a signed SAML response or metadata document
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.11.16, 3.12.10, 3.13.5, 3.14.2, or any 3.15+ version
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to patched version (3.11.16, 3.12.10, 3.13.5, 3.14.2, or 3.15+). 3. Restart the instance. 4. Verify SAML SSO functionality.
🔧 Temporary Workarounds
Disable Encrypted Assertions
allTemporarily disable SAML encrypted assertions feature to mitigate vulnerability
Navigate to Management Console > Authentication > SAML > Disable 'Encrypt assertions'
🧯 If You Can't Patch
- Disable SAML encrypted assertions feature immediately
- Implement strict network access controls to limit who can reach the SAML authentication endpoints
🔍 How to Verify
Check if Vulnerable:
Check if GitHub Enterprise Server version is below 3.15 and encrypted assertions are enabled in SAML configurationCheck Version:
ssh admin@github-enterprise-instance 'ghe-version'Verify Fix Applied:
Verify version is 3.11.16, 3.12.10, 3.13.5, 3.14.2, or 3.15+ and test SAML authentication📡 Detection & Monitoring
Log Indicators:
- Unexpected SAML authentication attempts
- Failed signature verification logs
- Unauthorized user provisioning events
Network Indicators:
- Unusual SAML assertion traffic patterns
- Authentication requests from unexpected sources
SIEM Query:
source="github-enterprise" AND ("SAML signature verification failed" OR "unauthorized user provisioned")🔗 References
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.10
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.5
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2
