Skip to content

2024-007: Critical Vulnerabilities in GitLab

Table of Contents

On January 11, 2024, GitLab released a security advisory addressing several vulnerabilities, including critical ones that, if exploited, could lead to account takeover, or slack command execution.
It is recommended upgrading as soon as possible.


GitLab Security Advisory - January 2024

GitLab Security Advisory - January 2024

History: 12/01/2024 --- v1.0 -- Initial publication

Summary

On January 11, 2024, GitLab released a security advisory addressing several vulnerabilities, including critical ones that, if exploited, could lead to account takeover or slack command execution. It is recommended to upgrade as soon as possible.

Technical Details

The vulnerability CVE-2023-7028, with a CVSS score of 10, allows user account password reset emails to be sent to unverified email addresses, leading to potential account takeovers.

The vulnerability CVE-2023-5356, with a CVSS score of 9.6, allows a user to abuse Slack and Mattermost integrations to execute slash commands as another user.

The vulnerability CVE-2023-4812, with a CVSS score of 7.6, would allow a user to bypass the required CODEOWNERS approval by adding changes to a previously approved merge request.

Affected Products

The vulnerability CVE-2023-7028 affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions:

  • 16.1 prior to 16.1.6
  • 16.2 prior to 16.2.9
  • 16.3 prior to 16.3.7
  • 16.4 prior to 16.4.5
  • 16.5 prior to 16.5.6
  • 16.6 prior to 16.6.4
  • 16.7 prior to 16.7.2

Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to log in.

The vulnerability CVE-2023-5356 affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions:

  • from 8.13 prior to 16.5.6
  • from 16.6 prior to 16.6.4
  • from 16.7 prior to 16.7.2

The vulnerability CVE-2023-4812 affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions:

  • from 15.3 prior to 16.5.5
  • from 16.6 prior to 16.6.4
  • from 16.7 prior to 16.7.2

Recommendations

It is strongly recommended to upgrade all GitLab installations to one of the new versions immediately. The release also emphasizes the importance of enabling Two-Factor Authentication (2FA) for additional security.

Detection

At the moment, the editor did not detect any abuse of the vulnerability CVE-2023-7028 on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances. Nevertheless, regarding the self-managed instances, customers can review their logs to check for possible attempts to exploit this vulnerability:

  • Check "gitlab-rails/productionjson.log" for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
  • Check "gitlab-rails/auditjson.log" for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

References

[1] GitLab Security Advisory - January 2024


```htmlMITRE ATT&CK Matrix Analysis

MITRE ATT&CK Matrix - Analysis from GitLab Security Advisory

Enterprise Layer

Tactic Technique/Sub-technique Potential Attacker Groups Mitigation Techniques
Credential Access T1110 - Brute Force:
T1110.003 - Password Spraying
Attacker groups targeting account credentials Upgrade GitLab, Enable 2FA
Persistence T1078 - Valid Accounts Advanced persistent threats (APTs) Upgrade GitLab, Enable 2FA, Use of strong password policies
Defense Evasion T1556 - Modify Authentication Process:
T1556.003 - Password Reset
Insider threat, Phishing campaigns Upgrade GitLab, Enable 2FA
Execution T1204 - User Execution:
T1204.002 - Malicious File
Malware campaigns, Script kiddies Upgrade GitLab, Review and limit integrations

Mobile Layer

As the vulnerabilities are specific to GitLab's web-based platforms, the mobile layer does not directly apply. If GitLab mobile applications mirror vulnerabilities within the web platform, mitigation efforts for the enterprise layer are also recommended for mobile.

Industrial Control System (ICS) Layer

GitLab is not typically used as a direct component of ICS environments; however, code repositories may impact ICS if they are used to store and manage ICS-related code. Therefore, the same vulnerabilities and mitigation techniques apply from the Enterprise matrix.

Mitigation and Recommendations

  • Immediately upgrade all instances of GitLab to the patched versions as recommended by the advisory.
  • Enable Two-Factor Authentication (2FA) across all GitLab accounts for additional security.
  • Implement strong password policies and account lockout mechanisms to prevent brute-force attacks.
  • Review and restrict the use of integrations like Slack and Mattermost to minimize the exposure to vulnerabilities.
  • Regularly monitor logs for suspicious activities such as multiple password reset requests or unauthorized modification of merge requests.

References

[1] GitLab Security Release: 16.7.2 Released

```


This post was generated entirely by an AI language model. Source: CERT EU

Latest

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

Palo Alto Networks released security updates for two actively exploited zero-day vulnerabilities in Palo Alto Networks PAN-OS. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to gain administrator privileges, or a PAN-OS administrator to perform actions on the firewall with root privileges. It recommended applying the updates and

Members Public
Modern zsarolóvírusok

Modern zsarolóvírusok

A Magyar Védelmi Beszerzési Ügnynökséget az INC Ransom csoport támadta és zsarolta meg 2024. októberében. Az elmúlt időszakban megszaporodtak azok a magyarországi zsarolóvírus támadások, amelyek során az INC és a vele csaknem 71%-ban azonos Lynx zsarolóvírusokat használták a támadók.

Members Public