Patch GitLab vuln without delay, users warned | JP
The US Cybersecurity and Infrastructure Security Agency (CISA) has this week added a vulnerability that was first disclosed in January in the GitLab open source platform to its Known Exploited Vulnerabilities (KEV) catalogue, prompting a flurry of warnings urging users of the service to apply available patches immediately.
Tracked as CVE-2023-7028 and discovered through GitLab’s HackerOne-run bug bounty programme, the flaw exists in GitLab Community and Enterprise Editions.
It’s an improper access control vulnerability that enables an attacker to trigger a password reset email to an unverified email, leading to account takeover. CISA said it was unknown, at the time of publication, if it had been used as a factor in any ransomware attacks.
The addition of a vulnerability to the KEV catalogue obliges US government bodies to patch it immediately if affected – they have until later in May to do so – but also serves as a useful guide, and a timely warning, to enterprises and other organisations about what new vulnerabilities are most impactful, and therefore valuable to cyber criminals and other threat actors.
CVE-2023-7028 affects all versions of GitLab C/EE from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. Users should update to versions 16.7.2, 16.6.4 and 16.5.6 immediately.
“We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards,” wrote GitLab’s Greg Meyers in the organisation’s disclosure notice. “As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version.”
Beyond applying the fix, organisations may wish to consider enabling multi-factor authentication (MFA) across their GitLab accounts, and rotate all secrets stored in GitLab, including credentials and account passwords, application programming interface tokens and certificates. More guidance can be found here.
Adam Pilton, cyber security consultant at CyberSmart, and a former cyber crime investigator at Dorset Police, said: “This is a concerning vulnerability as the potential impact of exploitation can be far and wide, with not only the victim’s business being impacted, but potentially those working closely with them.
“The positive news is that there is a patch available addressing this vulnerability, and I would urge everyone affected to apply this as soon as possible.
“I would like to highlight the hero of the story, and once again it is MFA,” he said. “Those users that have implemented MFA would have been protected from any cyber criminal that wanted to access their account, as the additional authentication required would have prevented successful login.
“We must learn lessons from every attack, and the lessons learnt from this vulnerability are to enable MFA, ensure you maintain regular patching and make sure that you demand strong cyber security measures within your supply chain,” said Pilton.
Delayed patching
Of concern to other members of the security community was the fact that although CVE-2023-7028 was patched in January 2024, there are still significant numbers of vulnerable GitLab instances in the wild – according to ShadowServer data correct to 1 May, over 300 in the US, China and Russia, over 200 in Germany, 70 in France, and 40 in the UK.
“The exploit also raises the issue of patching, which we know continues to be a big challenge for many organisations,” said Hackuity strategy vice-president Sylvain Cortes. “The fact is, a patch was released for this flaw on 11 January, yet over a thousand GitLab setups still remain exposed online.
“The priority for teams is to make sure they’re on top of the issues they need to fix first. Severity ratings are important, but security teams should prioritise the vulnerabilities that pose the most risk to their environment.”