Critical Security Advisory Issued for the GitHub Enterprise Server

• A critical security patch was released for the GitHub Enterprise Server to fix a SAML Single Sign-On authentication-bypass flaw.
• Since GHES are used by organizations for their infrastructure, security, and compliance, the bug poses severe risks.
• A guide with best practices is also available to mitigate the risks associated with this vulnerability.

GitHub has released an urgent security advisory concerning a critical vulnerability identified as CVE-2024-9487, which affects multiple versions of GitHub Enterprise Server (GHES). Given a CVSS score of 9.5, the vulnerability is deemed critical and requires immediate action from affected users.

The vulnerability allows attackers to bypass SAML Single Sign-On (SSO) authentication, which could result in unauthorized user provisioning and access to sensitive GitHub instances. Exploiting this vulnerability requires attackers to have the encrypted assertions feature enabled, direct network access, and a signed SAML response or metadata document. 

The potential consequences include unauthorized access to source code, sensitive project data, and developer credentials, which could lead to data breaches and development pipeline sabotage.

Organizations utilizing GHES to manage their infrastructure, security, and compliance are particularly at risk. Failure to patch these vulnerabilities promptly may also lead to regulatory penalties, especially in industries with stringent data protection and cybersecurity regulations.

To mitigate the risks associated with this vulnerability, organizations should follow these best practices:

• Apply the Available Patch: GitHub has confirmed the availability of a patch for CVE-2024-9487. Organizations should apply this patch immediately to secure their systems against potential exploits.
• Regular Updates: Maintain routine software and hardware updates to prevent exploits and ensure system integrity.
• Patch Management Strategy: Establish a robust patch management strategy, including inventory management, patch assessment, testing, deployment, and verification to address vulnerabilities promptly.
• Network Segmentation: Implement network segmentation using firewalls, VLANs, and access controls to limit exposure and protect critical assets.
• Incident Response Plan: Develop and maintain an incident response plan to efficiently detect, respond to, and recover from security incidents.
• Monitoring and Logging: Utilize comprehensive monitoring and logging systems, such as Security Information and Event Management (SIEM) solutions, for real-time threat detection.
• Address End-of-Life Products: Proactively identify and manage End-of-Life products within the infrastructure to reduce vulnerabilities.

In July, a network of GitHub accounts called Stargazers Ghost Network was observed distributing malware or malicious links via north of 3,000 accounts used for malware distribution that mostly focuses on infostealers. This Distribution-as-a-Service is operated and maintained by the Stargazer Goblin threat actor.