Critical GitLab Vulnerabilities

THE THREAT

On January 11th, GitLabs disclosed multiple vulnerabilities, including one which received the maximum criticality rating of CVSS 10. This maximum criticality vulnerability is tracked as CVE-2023-7028; it is an account takeover via password reset vulnerability. This vulnerability allows for a user account’s password reset emails to be delivered to an unverified email address, enabling account takeover. Proof-of-Concept (PoC) exploit code was publicly released on January 13th.

At the time of writing, there is no indication of attacks exploiting these vulnerabilities in the wild. However, due to the availability of exploit code and the high severity of CVE-2023-7028, it is almost certain that exploitation will occur in the immediate future.

What we’re doing about it

• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all of the recently disclosed GitLab vulnerabilities
• The eSentire Threat Response Unit is actively tracking these vulnerabilities and reviewing available Proof-of-Concept (PoC) exploit code for new detection opportunities

What you should do about it

• Apply the relevant security updates released by GitLab
• Ensure Multi-Factor Authentication is enabled for all accounts
• Disable password-based authentication where possible

Additional information

As CVE-2023-7028 has a high criticality, allows account takeover, and has functional PoC exploit code, it should be prioritized for immediate remediation. CVE-2023-7028 impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. Within these versions, all authentication mechanisms are impacted. Organizations need to ensure they are running GitLab versions 16.7.2, 16.6.4, 16.5.6.

Users who have Multi-Factor Authentication (MFA) enabled remain vulnerable to a password reset, however, account takeover is not possible as the additional authentication factor is required to login. If an unrecognized password reset email is triggered or if a user is suddenly redirected to login, it is recommended to reset the password.

It should be noted that users without SSO enforcement are vulnerable to account takeover. Additionally, if your configuration permits a username and password alongside SSO options then you are also vulnerable. It is recommended to disable all password authentication options to mitigate the vulnerability for Self-Managed customers that have an external identity provider configured.

At the time of writing, GitLab has not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances. They also released details for self-managed customers on how to review logs to check for possible attempts to exploit this vulnerability.

Other vulnerabilities from the release include:

• CVE-2023-5356 (CVSS: 9.6) - Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user
• CVE-2023-4812 (CVSS: 7.6) - Bypass CODEOWNERS approval removal
• CVE-2023-6955 (CVSS: 6.6) - Workspaces able to be created under different root namespace
• CVE-2023-2030 (CVSS: 3.5) - Commit signature validation ignores headers after signature

References:

[1] https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
[2] https://docs.gitlab.com/ee/administration/settings/sign_in_restrictions.html#password-authentication-enabled