SAML Exploit Github: CVE-2024-6800 – Cyble

Key Takeaways 

  • CVE-2024-6800 is a severe security flaw discovered in GitHub Enterprise Server (GHES), which could allow unauthorized access and control over sensitive systems by exploiting XML signature wrapping and forged SAML responses. 
  • The vulnerability impacts all GHES versions prior to 3.14, excluding versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16, indicating that many installations could be at risk. 
  • Exploiting this vulnerability can grant attackers unauthorized access to GHES instances, enabling them to view, modify, or delete critical source code and sensitive data and potentially compromising entire supply chains. 
  • GHES instances are often accessible over the internet, which broadens the attack surface and increases the likelihood of exploitation, emphasizing the need for immediate action. 
  • GitHub has released critical security updates to address CVE-2024-6800. Organizations are strongly advised to upgrade to the latest GHES version to apply essential patches and secure their systems. 
  • GHES version 3.13.3 includes fixes for CVE-2024-6800 and additional security improvements, addressing both critical and medium-severity vulnerabilities and enhancing overall system security. 
  • The update also introduces new features like improved diagnostic tools and configuration management enhancements, which help in better managing and troubleshooting GHES instances. 

Overview 

Cyble Research & Intelligence Labs’ (CRIL) Weekly Vulnerability Intelligence Report has recently revealed critical flaws with the potential to impact major technology platforms. Among the most concerning is a security issue affecting GitHub Enterprise Server (GHES). The vulnerability, identified as CVE-2024-6800, poses risks to organizations using GHES, potentially allowing unauthorized access and control over sensitive systems. 

On August 22, 2024, the Cyber Security Agency of Singapore (SingCERT) released an alert about CVE-2024-6800, a critical vulnerability in the GitHub Enterprise Server (GHES). GHES is a self-hosted version of GitHub, tailored for organizations that require a secure and customizable platform for managing source code and facilitating collaboration among development teams. 

CVE-2024-6800 is an XML signature wrapping vulnerability that affects GHES. This flaw allows unauthenticated attackers to exploit Security Assertion Markup Language (SAML) responses to gain unauthorized access. By forging a SAML response, an attacker could provision and access user accounts with site administrator privileges. 

Decoding the GitHub Enterprise Server Vulnerability  

The CVE-2024-6800 vulnerability affects all GitHub Enterprise Server (GHES) versions prior to 3.14, except versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This broad range of affected versions means that a significant number of GHES installations are at risk. 

The impact of CVE-2024-6800 is substantial, particularly because GHES is crucial for managing the source code of critical applications. Exploiting this vulnerability could lead to unauthorized access, allowing attackers to bypass authentication and gain unrestricted access to GHES instances.  

This access could enable them to view, alter, or delete sensitive source code and other important data. Additionally, with administrator privileges, attackers could manipulate code or configurations, potentially compromising the entire supply chain and leading to broader security breaches affecting downstream systems and users. 

The vulnerability’s exposure is exacerbated by the fact that GHES instances are often accessible over the internet. This broad attack surface heightens the risk of exploitation, highlighting the need for organizations to mitigate the threat quickly.  

Mitigation and Recommendations 

To address the critical vulnerability CVE-2024-6800, GitHub has issued essential security updates for GitHub Enterprise Server (GHES). Organizations using GHES are strongly encouraged to implement immediate measures to mitigate the risks associated with this vulnerability. 

Administrators should promptly upgrade to the latest GHES version, which includes crucial patches designed to fix the XML signature wrapping issue. This will secure GHES instances against potential cyber attacks

Organizations should also review their security policies and actively monitor their systems for any suspicious activity that might indicate attempts to exploit the vulnerability. Ensuring that access controls are properly configured and regularly reviewed will help in preventing unauthorized access. 

Moreover, the security update addressing CVE-2024-6800 is included in GHES version 3.13.3. This release not only tackles the critical vulnerability but also introduces several improvements and fixes. Key security enhancements in this update include a specific fix for CVE-2024-6800, which resolves the XML signature wrapping vulnerability by blocking unauthorized access through forged SAML responses. Additionally, the update addresses several medium-severity vulnerabilities affecting both public and private repositories, contributing to improved overall security. 

GHES version 3.13.3 also brings new features and enhancements. It includes improved diagnostic tools that allow users to view app states for gists, networks, and wikis, and the spokesctl check command now diagnoses and resolves issues with empty repository networks. Configuration tools have been enhanced for better management and diagnostics, including improvements to the ghe-config-apply process and more effective handling of configuration logs. 

The update resolves various bugs affecting system stability and user experience. It addresses issues related to configuration runs, unnecessary connections, and failures in Dependency Graph updates. It also contains user experience improvements, including fixes for problems with GitHub Actions, backup and restoration processes, and instance management. 

Conclusion 

CVE-2024-6800 represents a challenge to organizations using GitHub Enterprise Server. The XML signature wrapping flaw poses serious risks, including unauthorized access and compromised systems. Organizations should upgrade to GHES version 3.13.3 to address this vulnerability and take advantage of the latest security improvements.  

Regular updates and proactive monitoring are vital for protecting development environments from potential threats. For further details on the update and to access the latest security patches, organizations should refer to GitHub’s official documentation and follow the recommended actions.