Critical Account Takeover Vulnerability Impacting GitLab

On January 11, 2024, Security fixes for GitLab Community Edition (CE) and Enterprise Edition (EE) were released. The vulnerability identified as CVE-2023-7028 falls under the critical severity category and impacts multiple GitLab CE/EE versions. Exploiting this vulnerability could lead to user account password reset emails being delivered to an email address specified by the Threat Actor.

If successfully exploited, the vulnerability could enable attackers to take over accounts without user interaction. The security flaw stems from a bug in the email verification process.

The versions listed below are the affected versions of GitLab self-managed instances that CVE-2023-7028 impacts.

Impacted Versions

  • 16.1 to 16.1.5
  • 16.2 to 16.2.8
  • 16.3 to 16.3.6
  • 16.4 to 16.4.4
  • 16.5 to 16.5.5
  • 16.6 to 16.6.3
  • 16.7 to 16.7.1

As per the security alert released by the official vendor:

Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover, as their second authentication factor is required to login.

Detecting and Investigating Suspicious Activity in GitLab Logs

To check possible attempts of exploitation, customers are advised to review logs following these steps:

  • Check GitLab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
  • Check GitLab-rails/audit_json.log for entries with meta.caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Actions to Take in Response to CVE-2023-7028

The following actions are recommended:

  1. Upgrade to the latest patches released by the official vendor – Link.
  2. Enable 2-factor authentication (2FA) for all GitLab accounts, especially for users with elevated privileges.
  3. Limit exposure of GitLab instances over the internet.

Internet Exposed GitLab Instances

With the availability of multiple Proof of Concepts (POC)  in the public domain, mass exploitation of the CVE-2023-7028 is likely. As the vulnerability allows an attacker to exploit the vulnerability remotely without the need for user authentication, researchers investigated the internet exposure of GitLab instances. They observed that there are over 200,000 internet-exposed instances.

The graph below depicts countries with the highest number of GitLab exposure over the internet.

Figure 1 – Countries with the highest number of internet-exposed GitLab instances

Cybercrime Forums & Telegram

During our investigation, Cyble researchers observed that CVE-2023-7028 was avidly discussed in crime forums and Telegram channels, and a publicly available POC was shared.

Figure 2 – CVE-2023-7028 discussion over cybercrime forum

While one of the data brokers shared the PoC and encouraged readers to exploit this vulnerability, another prominent observation revealed a threat actor on Telegram releasing a list consisting of 4,667 GitLab URLs in context with the GitLab critical account take-over vulnerability (CVE-2024-7028).

 Figure 3 – Threat Actors discuss GitLab vulnerability over a Telegram channel & distributing GitLab-related sites

Conclusion

The identification and announcement of CVE-2023-7028 underscores the critical importance of addressing security vulnerabilities promptly and effectively. This vulnerability in GitLab poses a serious threat, enabling unauthorized individuals to seize control of user accounts, potentially leading to unauthorized access and misuse of sensitive information. The severity of this issue emphasizes the necessity for swift action, with affected systems urgently requiring the application of the provided patch to mitigate the risks.

The proof of concept spreading via cybercrime forums and Telegram significantly exacerbates the severity of CVE-2023-7028. When threat actors actively share exploits and proofs of concept in these underground platforms, it not only accelerates the dissemination of the vulnerability but also amplifies the potential for widespread abuse.

Recommendations

  • Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
  • Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
  • Ensure that two-factor authentication is enabled for all GitLab accounts to provide an additional layer of security.
  • Inform GitLab users about the potential risk associated with this vulnerability and the importance of vigilance in verifying unexpected password reset emails.
  • Emphasize the adoption of security best practices within the organization, such as using strong, unique passwords and regularly updating them.

References

https://about.GitLab.com/releases/2024/01/11/critical-security-release-GitLab-16-7-2-released/#account-takeover-via-password-reset-without-user-interactions

https://about.GitLab.com/update/

https://about.GitLab.com/blog/2020/05/20/GitLab-instance-security-best-practices/

https://github.com/search?q=CVE-2023-7028&type=repositories

The post Critical Account Takeover Vulnerability Impacting GitLab appeared first on Cyble.