@iblue discovered a bug that resulted in a static value being used as the Ruby on Rails session secret for GitHub Enterprise’s management console. A static session secret could allow an attacker to sign arbitrary session cookies and exploitation could result in remote code execution on the server.

Ruby on Rails implements session storage using a cryptographically signed serialized Ruby Hash. This Hash is serialized into a cookie using Marshal.dump and subsequently deserialized using Marshal.load. If an attacker can construct a valid signature, they can create a session cookie that contains arbitrary input passed to Marshal.load. As noted by the Ruby documenation for Marshal.load, this can result in code execution:

By design, ::load can deserialize almost any class loaded into the Ruby process. In many cases this can lead to remote code execution if the Marshal data is loaded from an untrusted source.

As a result, ::load is not suitable as a general purpose serialization format and you should never unmarshal user supplied input or other untrusted data.

We addressed the issue by fixing the bug related to how the session secret is initially configured. In addition, we now default to a randomly generated session secret if the initially configured session secret is not found. This issue has been fixed in GitHub Enterprise 2.8.7 (other versions of GitHub Enteprise were not affected).