What You Need to Know About the Latest GitLab Vulnerability (Including Detection)

Account Takeover via Password Reset without user interactions

On January 11th, GitLab announced an issue had been discovered in GitLab CE/EE several versions in which user account password reset emails could be delivered to an unverified email address. This critical vulnerability was given the highest CVSS severity score of 10.0 due to the remote, unauthenticated nature of the attack vector and the low complexity and lack of user interaction required to exploit the issue. Panther Labs’ Threat Research Team has released new rules to detect when this vulnerability is exploited.

GitLab is a DevSecOps platform for managing code repositories and CI/CD workflows. If an administrator account was compromised by exploiting this vulnerability, it could lead to loss of access to code repositories, theft of intellectual property, and malicious code being pushed downstream into the organization’s supply chain.

Having 2FA enabled somewhat mitigates the issue — passwords can still be reset, but attackers would be unable to authenticate without the 2FA code. This could still lead to loss of access to the GitLab server, and sophisticated threat actors have been known to use social engineering techniques and SIM swapping attacks to compromise 2FA codes as well.

Vulnerability Details

Below, are specific vulnerability details from the NIST NVD database.

Exploit

The exploit works by sending a specially crafted payload to the /users/password API endpoint requesting a password reset. The payload contains 2 emails — one of a legitimate user on the GitLab server and the other controlled by the attacker. The password reset email is sent to both email addresses, giving the attacker the opportunity to change the user’s password without any interaction on their part.

The only piece of information an attacker would need would be the email address of a user on a vulnerable GitLab server — a piece of OSINT any attacker with basic skills should be able to get with ease. In fact, one user on the X Platform (Formerly Twitter) went so far as to provide a playbook for anyone interested in doing so. This drew some fire from other members of security research community who questioned the ethics of posting a fully fledged attack plan.

Detection

Exploiting vulnerable systems in the wild is generally frowned upon, but when executed in a controlled environment, this type of adversary emulation is essential for building robust detections. For this reason, the Threat Research Team at Panther Labs deployed a vulnerable GitLab server in our lab and ran the exploits. The log telemetry generated helped us create high fidelity detections for these attacks.

We have published two new detections for GitLab logs based on our research. The first leverages the GitLab Audit log looking for “Ask for password reset” messages where the recipient email address is an array of multiple emails. The second looks at the GitLab Production log, watching for requests to the /users/password API endpoint with an array of email addresses in the request payload.

https://github.com/panther-labs/panther-analysis/pull/1157

Exposure

GitLab stated they had not detected abuse of this vulnerability on any managed GitLab platforms, but self-managed GitLab servers could be impacted. While the vulnerability was addressed in GitLab release 16.7.2, analysis of internet facing GitLab servers shows that there are still thousands of vulnerable systems publicly accessible from the internet. Vulnerable version are also still available for installation from GitLab’s RPM repository.

Self-managed GitLab users should upgrade to the latest version and enable 2FA for all user accounts. If you believe you have been compromised, you should follow GitLab’s incident response protocol and rotate all secrets stored in GitLab.

UK-based Shadowserver’s indicated that, as of January 2024, over 5300 instances of Gitlab were running while vulnerable to CVE-2023-7028. A more recent scan shows the number slowly trending downward, but there are still a concerning number of affected servers running globally with the United States, China and Russia among the more prevalent.

We urge you to familiarize yourself with the techniques used in this attack and refer to the detections we have created – whether you are a current Panther customer or not. If you have any questions, please feel free to reach out to our team

References

Table of Contents

Recommended Resources

Escape Cloud Noise. Detect Security Signal.
Request a Demo