Vulnerability in GitHub Enterprise Server (GHES) could allow authentication bypass

A vulnerability has been discovered in GitHub Enterprise Server (GHES), which could allow authentication to be bypassed. GHES is a popular platform for software developers. Organizations can build and store software applications using Git version control and automate deployment pipelines. Successful exploitation of this vulnerability could allow an attacker to forge a SAML response to provision and/or access a user with site administrator privileges. An attacker could then view, modify or delete data; or create new accounts with full user rights.

There are currently no reports of this vulnerability being exploited in the wild.

A vulnerability has been discovered in GitHub Enterprise Server (GHES), which could allow authentication to be bypassed. The details of the vulnerability are as follows:
Tactical: Initial Access (TA0001):
Technique: Using an application intended for the public (T1190):

• An authentication bypass vulnerability was present in GitHub Enterprise Server (GHES) when using SAML single sign-on with the optional encrypted assertions feature. This vulnerability allowed an attacker to forge a SAML response to provision and/or access a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.
  Successful exploitation of this vulnerability could allow an attacker to forge a SAML response to provision and/or access a user with site administrator privileges. An attacker could then view, modify or delete data; or create new accounts with full user rights.

We recommend that the following actions be taken:

• Apply appropriate updates provided by GitHub to vulnerable systems immediately after appropriate testing. (M1051: software update)
• Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
• Backup 7.4: Perform automated application patch management: Perform application updates to enterprise assets via automated patch management on a monthly or more frequent basis.
• Safeguard 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a SCAP-compliant vulnerability scanning tool . Perform scans on a monthly or more frequent basis.
• Backup 7.7: Fix Detected Vulnerabilities: Fix detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
• Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Management of privileged accounts)
• Backup 4.7: Manage default accounts on enterprise assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
• Backup 5.4: Restrict admin privileges to dedicated admin accounts: Restrict admin privileges to dedicated admin accounts on company assets. Conduct general computing activities, such as browsing the Internet, emailing, and using the Productivity Suite, from the user's primary, non-privileged account.
• Prevent access to file shares, remote access to unnecessary systems and services. Mechanisms to limit access may include the use of network hubs, RDP gateways, etc. (M1035: Limit access to resources on the network)
• Use intrusion detection signatures to block traffic at network boundaries. (M1031: Prevention of network intrusions)
• Backup 13.3: Deploy a network intrusion detection solution: Deploy a network intrusion detection solution on company assets, if applicable. Example implementations include the use of a network intrusion detection system (NIDS) or equivalent cloud service provider (CSP) service.
• Backup 13.8: Deploy a network intrusion prevention solution: Deploy a network intrusion prevention solution, if applicable. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
• Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
• Backup 13.10: Perform application layer filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.