news
May 28, 2024by Cybersixgill IQ

Two Critical Vulnerabilities Allow Authentication Bypass: GitHub Enterprise Server Flaw and Veeam Backup Enterprise Manager Bug

Powered by cybersixgill IQ

This week, threat researchers discovered two critical security vulnerabilities targeting GitHub’s Enterprise Server and Veeam’s Backup Enterprise Manager that companies using those products should be aware of. Read on to learn the details and decide whether you need to take action.

GitHub Enterprise Server Flaw

A critical security vulnerability has been discovered in GitHub's Enterprise Server, which could potentially allow attackers to bypass authentication and gain administrative privileges. This flaw poses a significant threat to organizations utilizing GitHub Enterprise Server and requires immediate attention to mitigate the risk.

Vulnerability Details

The vulnerability, tracked as CVE-2024-4985, has a maximum severity rating (CVSS 10) and affects GitHub Enterprise Server versions prior to 3.13.0. The flaw specifically impacts implementations that use the SAML single sign-on (SSO) authentication approach with the optional encrypted assertions feature enabled.

Attackers can exploit this vulnerability by creating a fake SAML response, enabling them to provision user accounts with administrative privileges or gain unauthorized access to existing accounts with site administrator privileges.

Affected Companies

Organizations using GitHub Enterprise Server versions prior to 3.13.0 are vulnerable to this authentication bypass flaw. GitHub Enterprise Server is a self-hosted version of GitHub designed for large enterprises, development teams, and organizations that require greater control over their repositories and assets.

Mitigation Steps

  1. Update GitHub Enterprise Server: It is crucial to update GitHub Enterprise Server to version 3.13.0 or later, as Microsoft-owned GitHub has issued an emergency fix to address this vulnerability. Versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4 contain the necessary patches.

  2. Disable SAML Single Sign-On (SSO): If possible, organizations can temporarily disable SAML SSO authentication or switch to an alternative authentication method until the vulnerability is fully patched.

  3. Monitor for Suspicious Activity: Organizations should closely monitor their GitHub Enterprise Server instances for any signs of unauthorized access or suspicious activity. Implementing robust logging and intrusion detection systems can help detect and respond to potential attacks.

  4. Follow Vendor Recommendations: Stay updated with the latest recommendations and advisories from GitHub regarding this vulnerability. GitHub has provided an emergency fix, and it is essential to follow their guidance to ensure the security of your GitHub Enterprise Server.

  5. Educate Users: Raise awareness among users about the potential risks associated with this vulnerability and the importance of following best practices for secure authentication. Encourage users to report any suspicious activity or unusual login attempts.

Veeam Backup Enterprise Manager Bug

A critical security flaw has been discovered in Veeam Backup Enterprise Manager, a web-based platform used for managing Veeam Backup & Replication installations. This vulnerability, tracked as CVE-2024-29849, allows unauthenticated attackers to bypass authentication and gain access to the web interface as any user. The flaw has been rated with a CVSS score of 9.8/10, indicating its severity.

Affected Companies

Organizations using Veeam Backup Enterprise Manager are vulnerable to this authentication bypass flaw. It is important to note that not all environments are susceptible to this vulnerability, as VBEM is not enabled by default. However, organizations that have deployed VBEM should take immediate action to address the issue.

Mitigation Steps

  1. Update to the Latest Version: Users are urged to update to version 12.1.2.172 of Veeam Backup Enterprise Manager, as this version addresses the critical security flaw.

  2. Disable Services: If immediate upgrading is not possible, organizations can mitigate the risk by stopping and disabling the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) and VeeamRESTSvc (Veeam RESTful API) services.

  3. Uninstall if Not in Use: If Veeam Backup Enterprise Manager is not currently in use, it is recommended to uninstall it using the provided instructions to remove the attack vector.

Additional Vulnerabilities

Veeam has also disclosed three other shortcomings impacting Veeam Backup Enterprise Manager:

CVE-2024-29850: Allows account takeover via NTLM relay

CVE-2024-29851: Allows a privileged user to steal NTLM hashes of a Veeam Backup Enterprise Manager service account if not configured to run as the default Local System account

CVE-2024-29852: Allows a privileged user to read backup session logs

These vulnerabilities have also been addressed in version 12.1.2.172 of Veeam Backup Enterprise Manager.

References

“GitHub warns of SAML auth bypass flaw in Enterprise Server“ from cybernews_bleepingcomputer, published on May 21st, 2024 by Bill Toulas

“GitHub Authentication Bypass Opens Enterprise Server to Attackers“ from cybernews_darkreading, published on May 22nd, 2024 by DarkReading

“Critical GitHub Enterprise Server Flaw Allows Authentication Bypass“ from cybernews_thehackersnews, published on May 21st, 2024 by May

“Veeam warns of critical Backup Enterprise Manager auth bypass bug“ from cybernews_bleepingcomputer, published on May 21st, 2024 by Sergiu Gatlan

“Critical Veeam Backup Enterprise Manager Flaw Allows Authentication Bypass“ from cybernews_thehackersnews, published on May 22nd, 2024 by May

This article was created using Cybersixgill IQ, our generative AI capability that supports teams with instant report writing, simplifies complex threat data and provides 24/7 assistance, transforming cybersecurity for every industry and every individual, at every level.

You may also like

Smart Security At Scale For MSSPs

November 05, 2024

Smart Security At Scale For MSSPs

Read more
Pulse Blog Visual

August 19, 2024

Personalization in Cyber Threat Intelligence: Cutting Through the Noise

Read more
Ransomware Intel Module

July 29, 2024

SANS CTI Survey 2024: Threat Hunting Now the Top Use Case

Read more