Two Critical Vulnerabilities Impacting GitLab Community Edition and Enterprise Edition

Note: These vulnerabilities are highly likely to exploited, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

GitLab has addressed two critical vulnerabilities in the GitLab Community Edition and Enterprise Edition that require immediate attention.

CVE-2023-7028

A critical flaw has been discovered in GitLab CE/EE in which user account password reset emails could be delivered to an unverified email address. The vulnerability is being tracked as CVE-2023-7028 with a CVSS score of 10 and has a high potential for exploitation due to a recently released PoC. This vulnerability affects all GitLab versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. 

This security fix has been backported to GitLab versions and 16.1.6, 16.2.9, 16.3.7 and 16.4.5 in addition to 16.5.6, 16.6.4 and 16.7.2.

Analysis

CVE-2023-7028 is a critical vulnerability that could have far reaching consequences, even for those that do not operate GitLab instances themselves. This vulnerability allows for an unauthenticated attacker to access development repositories. This can then lead to more significantly impactful supply chain attacks on software that is developed using the GitLab platform, or the theft of sensitive information from those platforms. Organizations operating GitLab will need to ensure that no malicious commits have been made to repositories and should assume compromise at this time, as a proof of concept (PoC) that is trivial to weaponize has been posted publicly as of January 12, 2024.

Impact

CVE-2023-7028 is a highly impactful vulnerability, allowing a threat actor to trivially reset user passwords by redirecting the password reset email to an email inbox they control, essentially allowing for full account takeover.

GitLab states that they have not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.

However, as of January 12, 2024, a PoC was released on x.com by user @rwincey. This proves that the vulnerability is trivial to exploit and can be performed in an automated manner to reset passwords of known users. Kroll assesses that threat actors will use this vulnerability to attack GitLab instances en masse immediately.

Mitigations

Users without single sign on (SSO) enforcement are vulnerable. If your configuration allows a username and password to be used in addition to SSO options, then you could be impacted.

Disabling password authentication via the GitLab help documentation will mitigate the vulnerability for Self-Managed customers that have an external identity provider configured, as this will disable the ability to perform password reset.

An attacker will not be able to take over an account if multi-factor authentication (MFA) is enabled. GitLab states that threat actors "may still be able to reset your password but will not be able to access your second factor authentication method. If you are suddenly redirected to login, or see a reset email triggered, please reset your password."

Indicators of Attack

• Check gitlab-rails/production_json.log for HTTP requests to the "/users/password" path with params.value.email consisting of a JSON array with multiple email addresses.
• Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

CVE-2023-5356

An additional vulnerability detected in GitLab is being tracked as CVE-2023-5356 with a CVSS score of 9.6 and has a low exploitation potential. Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4 and all versions starting from 16.7 before 16.7.2, allows a user to abuse Slack/Mattermost integrations to execute slash commands as another user. This is a critical severity issue.

At the time of writing, GitLab has not reported any cases of this vulnerability being observed in the wild.

Mitigations

GitLab has urged organizations to upgrade affected GitLab installations to the recently released versions 16.7.2, 16.6.4 and 16.5.6. GitLab has published no additional workarounds surrounding this vulnerability.

Below are recommendations from the Kroll Cyber Threat Intelligence (CTI) team on addressing both critical vulnerabilities: 

• Upgrade self-managed instances to a patched version following GitLab's upgrade path. Do not skip upgrade stops as this could create instability.
  • Note: 16.3.x is a required upgrade stop in the GitLab upgrade path.
• Enable two-factor authentication (2FA) for all GitLab accounts, especially for users with elevated privileges (e.g. administrator accounts).
• Discontinue use of the product if mitigations are unavailable.