@iblue discovered a bug that resulted in a static value being used as the Ruby on Rails session secret for GitHub Enterprise’s management console. A static session secret could allow an attacker to sign arbitrary session cookies and exploitation could result in remote code execution on the server.
Ruby on Rails implements session storage using a cryptographically signed serialized Ruby
Hash is serialized into a cookie using
Marshal.dump and subsequently deserialized using
Marshal.load. If an attacker can construct a valid signature, they can create a session cookie that contains arbitrary input passed to
Marshal.load. As noted by the Ruby documenation for
Marshal.load, this can result in code execution:
::loadcan deserialize almost any class loaded into the Ruby process. In many cases this can lead to remote code execution if the Marshal data is loaded from an untrusted source.
As a result,
::loadis not suitable as a general purpose serialization format and you should never unmarshal user supplied input or other untrusted data.
We addressed the issue by fixing the bug related to how the session secret is initially configured. In addition, we now default to a randomly generated session secret if the initially configured session secret is not found. This issue has been fixed in GitHub Enterprise 2.8.7 (other versions of GitHub Enteprise were not affected).