CyberWatch

Gitlab Critical Vulnerability Can Allow Account Takeover

By

By

Access Point Consulting

Summary

A vulnerability is present in GitLab Enterprise and Community, a popular DevSecOps platform, which is identified as CVE-2023-7028. This vulnerability has a CVSS score of 10.0 Critical according to GitLab Inc. and allows for an account-take-over of a GitLab administrator account without user interaction. This can be done by a remote attacker by sending two emails for a password reset query which will send a password reset request to both emails.

Impact Assessment

This vulnerability has a Critically high CVSS score allowing for a remote attacker to gain controller of a GitLab administrator account. This vulnerability has a very high impact due to low attack complexity, lack of permissions required, and lack of user interaction required for exploitation.

Affected Software

GitLab Community Edition (CE)/Enterprise Edition (EE) affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2

What it means for you

Checking your organization’s software inventory for instances of GitLab CE or EE, if you have instances referring to remediation and mitigation section below is advised.

Remediation

Upgrading your GitLab Community or Enterprise Edition to version 16.7.2, 16.6.4, 16.5.6 or later will remediate this vulnerability.

A highly recommended mitigation is to ensure Two-Factor-Authentication is configured for the administrator account. According to GitLab, the vulnerability cannot be exploited if 2FA is enabled.

Business Implications

Exploitation of this vulnerability could allow for a catastrophic loss of data, reputation, and capital. Depending on the use of GitLab, code could be changed, access to software development tools could be lost, if used for security that can also be compromised. It is possible the attacker can utilize the automated software delivery feature to push malware infested code to end users which can be detrimental to an organization’s reputation. Many things are at stake depending on what the attacker wants to do with the access and what the organization’s response is to the breach.

Access Point Technology Recommends

Patch: Patching the vulnerability is the best way to prevent exploitation. The versions which are not affected are listed above in the remediation section.

2FA: Enabling Two-Factor-Authentication is one of the best account security tools, and in this instance it will prevent this vulnerability from being exploited as a mitigation. However, 2FA should be used in all accounts as it gives an extra layer of authentication helping to prevent leaked passwords from compromising accounts.

Monitor: There are indicators that his vulnerability has been exploited which should be checked by analysts.

  1. Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
  2. Check gitlab-rails/audit_json.log for entries with meta.caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Associated Bulletins

https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/#account-takeover-via-password-reset-without-user-interactions

https://github.com/Vozec/CVE-2023-7028?tab=readme-ov-file

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more