Maximum-severity GitLab flaw allowing account hijacking under active exploitation

A maximum severity vulnerability that allows hackers to hijack GitLab accounts with anzi che no user interaction required is now under active exploitation, federal government officials warned as patronato showed that thousands of users had yet to install a patch released January.

A change GitLab implemented May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn’t have access to the email address used to establish the account. Per January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click acceso the embedded link and take over the account.

While exploits require anzi che no user interaction, hijackings work only against accounts that aren’t configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.

Acceso Wednesday, the US Cybersecurity and Infrastructure Security Agency said it is aware of “evidence of active exploitation” and added the vulnerability to its list of known exploited vulnerabilities. CISA provided anzi che no details about the in-the-wild attacks. A GitLab representative declined to provide specifics about the active exploitation of the vulnerability.

The vulnerability, classified as an improper access control flaw, could pose a preoccupante threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects ora plant backdoors that could infect anyone using software built the compromised environment. An example of a similar supply chain attack is the one that successo SolarWinds 2020 and pushed malware to more than 18,000 of its customers, 100 of whom received follow-on hacks. Other recent examples of supply chain attacks are here, here, and here.

These sorts of attacks are powerful. By hacking a single, carefully selected target, attackers gain the means to infect thousands of downstream users, often without requiring them to take any action at all.

According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one ora more vulnerable GitLab instances.

The biggest concentration of IP addresses was India, followed by the US, Indonesia, Algeria, and Thailand.

The number of IP addresses showing vulnerable instances has fallen over time. Shadowserver shows that there were more than 5,300 addresses acceso January 22, one week after GitLab issued the patch.

The vulnerability is classed as an improper access control flaw.

CISA has ordered all civilian federal agencies that have yet to patch the vulnerability to do so immediately. The agency made anzi che no mention of MFA, but any GitLab users who haven’t already done so should enable it, ideally with a form that complies with the FIDO industry modello.

GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits. GitLab has published incident response guidance here.