A horrible bug in GitLab, previously patched in January, is now being actively exploited. Not only is the flaw easy to abuse, but the outcomes could be nasty—including supply-chain compromise.
It seems that not enough shops took notice of the original advisory, so CISA is out there banging heads together.
CVE-2023-7028 has a perfect CVSS score of 10. In today’s SB Blogwatch, we double-check our versions.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Stam Fine’s finest stand.
What’s the craic? BleepingComputer’s Sergiu Gatlan reports: GitLab account takeover bug is actively exploited
“CVE-2023-7028”
Attackers are actively exploiting a maximum-severity GitLab vulnerability. … GitLab hosts sensitive data, including proprietary code and API keys, and account hijacking can have a significant impact. Successful exploitation can also lead to supply chain attacks that can compromise repositories by inserting malicious code.
…
Tracked as CVE-2023-7028, the security flaw is due to an improper access control weakness. [It] impacts GitLab Community and Enterprise editions, and GitLab fixed it in 16.7.2, 16.5.6, and 16.6.4 and backported patches to versions 16.1.6, 16.2.9, and 16.3.7. … Those who haven’t already patched may have been compromised [and] should follow GitLab’s incident response guide.
How is it exploited? According to ISMG’s David Perera, it’s easy: Hackers Use ‘Forgot Your Password’ to Hijack Accounts
“Opportunistic hacking”
The vulnerability … allows hackers to use the “forgot your password” function to send a reset link to an attacker-controlled inbox. … Attackers don’t need to know the email of the account they’re attempting to hijack.
…
At the time of the patch’s release, GitLab said it didn’t detect any abuse of the vulnerability. … But “no known exploits” at the moment of releasing a patch invariably translates into opportunistic hacking being launched within hours or days.
Yikes. No wonder it’s a 10. But how did it happen? thedanbob unpicks the error:
The intention was [respond to] “any email associated with the user.” You submitted an email address, Gitlab looked up the account associated with it, then sent the reset email to the supplied address. The issue was they didn’t consider what would happen if you submitted an array of emails.
And why are the implications so dire? The “software supply chain.” Pascal Monett remembers when we used to quaintly call it code reuse:
Developers have the habit ingrained in their skulls that production servers should download code from third-party servers. It’s in the bloodstream now, there’s nothing anyone can do about it.
…
The mantra is, “Move fast and break things.” And, boy, how we are setting ourselves up to be broken.
Wait. Pause. This patch was released in January. How is it still a problem in May? nzeid has some insight:
I got an extremely vague notification about this … several months ago. … I didn’t realize at the time it was this bad.
But using multi-factor authentication (MFA) should prevent compromise. Which raises an interesting point, made by Hrmbee:
| CISA has ordered all civilian federal agencies … to patch the vulnerability.
It’s interesting to see that there are institutional accounts, presumably with IT departments, that don’t yet have MFA mandated.
Although MFA doesn’t fully protect you. dialing_wand explains thusly:
MFA prevents the bad actors from completing the hijack loop. They can still reset user passwords. … MFA did protect our unpatched Gitlab instance from being hijacked, but not from users being unable to login because their passwords had been changed.
Huh? Say that again—slowly? This Anonymous Coward obliges:
An attacker can successfully reset a user’s password without any authentication. This locks the user out. However, MFA still keeps the attacker from fully logging in.
Meanwhile, Paul Crawford hammers the point home:
4 months on and only about 50% are patched. Oh dear.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image source: U.S. government, via Wikimedia
Recent Articles By Author