CVE-2023-7028 Alert: Critical GitLab Account Takeover Risk

According to a new security alert, a significant vulnerability identified CVE-2023-7028 causes a serious potential enable the risk of remote account takeover in GitLab. This vulnerability allows for remote exploitation, resulting in account compromise without the need for user interaction. GitLab Users, particularly those Users of GitLab Community Edition (CE) and Enterprise Edition (EE), are strongly warned to take immediate action to patch this critical-severity bug, due to the CVSS score of 10.

The critical GitLab account takeover vulnerability was introduced in version 16.1.0 on May 1, 2023 as part of an update that introduced when the DevOps platform added the option to users reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification procedure. According to GitLab, Account takeover can be achieved by crafting a specially formatted HTTP request that is capable of sending a password reset email to an unverified email address, especially in an unpatched versions.

 

Immediate Action Required:

The GitLab security team acted promptly, releasing fixes in versions 16.5.6, 16.6.4, and 16.7.2. Furthermore, the fix has been backported to GitLab versions 16.1.6, 16.2.9, 16.3.7 and 16.4.5 to ensure broad coverage. While GitLab encourages users to make these changes, also recommends enabling two-factor authentication (2FA) on all accounts. Although users who use 2FA are not at risk of direct account takeover via CVE-2023-7028 exploitation, but they are still vulnerable to their password being reset by an unauthorized party, they will be unable to access your second factor authentication method.

 

Status and Detection:

As of now, The company said it has not detected any exploitation of the critical bug on GitLab.com or GitLab Dedicated instances, but users of self-managed GitLab instances will need to check their own logs to monitor for abuse. All affected customers were informed that a security patch would be released prior to January 11 to ensure their teams would be available and prepared to address it expeditiously.

The following versions are impacted:

  • 16.1 prior to 16.1.5
  • 16.2 prior to 16.2.8
  • 16.3 prior to 16.3.6
  • 16.4 prior to 16.4.4
  • 16.5 prior to 16.5.6
  • 16.6 prior to 16.6.4
  • 16.7 prior to 16.7.2

 

GitLab says it has not detected any cases of active exploitation of CVE-2023-7028 but shared the following signs of compromise for defenders:

  • Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
  • Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

 

GitLab Actions:

  • Multiple tests validating the password reset logic, specifically addressing email handling, email generation, and content, have been incorporated to mitigate potential vulnerabilities. The MR checklist mandates security reviews as an essential step for developers. The code review process enforces the necessity of multiple approvals for any changes.
  • The Root Cause Analysis process has been initiated to identify a comprehensive list of follow-up actions aimed at preventing similar vulnerabilities in the future. A two-factor authentication feature has been implemented to counter such vulnerabilities, and it is currently activated for all GitLab Team Members.
  • To enhance future development, additional documentation has been included in the code base, providing engineers with implementation and security considerations. Furthermore, the implementation logic has been revised to disallow the submission of multiple email addresses for reset links.

 

Additional vulnerabilities Disclosures:

In addition to CVE-2023-7028, GitLab CE and EE versions 16.7.2, 16.6.4 and 16.5.6 are security releases that also disclosed several other vulnerabilities:

  1. CVE-2023-5356: A critical bug with a CVSS score of 9.6, (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N), caused by incorrect authorization checks, potentially allowing users to exploit Slack/Mattermost integrations to execute slash commands as another user.
  2. CVE-2023-4812: With a CVSS score of 7.6,(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N) this vulnerability enables the bypassing of CODEOWNERS approval by altering a previously approved merge request.
  3. CVE-2023-6955: This vulnerability, with a CVSS score of 6.6, (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N). allows an attacker to construct a workspace in one group associated with an agent from a different group.
  4. CVE-2023-2030: With a CVSS score of 3.5, (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) this vulnerability enables an attacker to modify the metadata of signed commits.

 

Remediation:

  1. Two-Factor Authentication (2FA): Enforce Two-Factor Authentication (2FA) for all GitLab accounts to add an extra layer of security beyond passwords, reducing the risk of unauthorized access.
  2. Strong Password Complexity: Implement strong password complexity requirements, including a mix of uppercase letters, lowercase letters, numbers, and special characters.
  3. Zero Trust Authentication Model: Adopt a Zero Trust Authentication model to verify every user and device attempting to access GitLab, regardless of their location or network connection.
  4. Rollbase Access Control Review (RBAC): Conduct a comprehensive review of Rollbase access controls within GitLab, ensuring that users have appropriate access based on their roles and responsibilities.