Summary
A vulnerability is present in GitLab Enterprise and Community, a popular DevSecOps platform, which is identified as CVE-2023-7028. This vulnerability has a CVSS score of 10.0 Critical according to GitLab Inc. and allows for an account-take-over of a GitLab administrator account without user interaction. This can be done by a remote attacker by sending two emails for a password reset query which will send a password reset request to both emails.
Impact Assessment
This vulnerability has a Critically high CVSS score allowing for a remote attacker to gain controller of a GitLab administrator account. This vulnerability has a very high impact due to low attack complexity, lack of permissions required, and lack of user interaction required for exploitation.
Affected Software
GitLab Community Edition (CE)/Enterprise Edition (EE) affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2
What it means for you
Checking your organization’s software inventory for instances of GitLab CE or EE, if you have instances referring to remediation and mitigation section below is advised.
Remediation
Upgrading your GitLab Community or Enterprise Edition to version 16.7.2, 16.6.4, 16.5.6 or later will remediate this vulnerability.
A highly recommended mitigation is to ensure Two-Factor-Authentication is configured for the administrator account. According to GitLab, the vulnerability cannot be exploited if 2FA is enabled.
Business Implications
Exploitation of this vulnerability could allow for a catastrophic loss of data, reputation, and capital. Depending on the use of GitLab, code could be changed, access to software development tools could be lost, if used for security that can also be compromised. It is possible the attacker can utilize the automated software delivery feature to push malware infested code to end users which can be detrimental to an organization’s reputation. Many things are at stake depending on what the attacker wants to do with the access and what the organization’s response is to the breach.
Access Point Technology Recommends
Patch: Patching the vulnerability is the best way to prevent exploitation. The versions which are not affected are listed above in the remediation section.
2FA: Enabling Two-Factor-Authentication is one of the best account security tools, and in this instance it will prevent this vulnerability from being exploited as a mitigation. However, 2FA should be used in all accounts as it gives an extra layer of authentication helping to prevent leaked passwords from compromising accounts.
Monitor: There are indicators that his vulnerability has been exploited which should be checked by analysts.
- Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
- Check gitlab-rails/audit_json.log for entries with meta.caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.
Associated Bulletins
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/#account-takeover-via-password-reset-without-user-interactions
https://github.com/Vozec/CVE-2023-7028?tab=readme-ov-file
.webp)
.png)
