Other official information and services: www.belgium.be

WARNING: CRITICAL SECURITY UPDATES FOR GITLAB RELEASED, PATCH IMMEDIATELY!

Référence:

Advisory #2024-05

Version:

1.0

Logiciels concernés :

GitLab Community Edition (CE) and Enterprise Edition (EE)

Type:

Account Takeover

CVE/CVSS:

CVE-2023-7028 :CVSS 10.0(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
CVE-2023-5356 :CVSS 9.6(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N)

Date:

12/01/2024

Sources

Gitlab Security Release - https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Risques

Gitlab has patched multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE). Successful exploitation of these vulnerabilities could lead to an attacker taking over accounts in Gitlab or executing slash commands as another user. Compromised accounts could lead to sensitive information leaking or be used as a pivot into the network of your organization. This poses a significant threat to the Confidentiality, Integrity, and Availability (CIA) triad of information security.

Description

CVE-2023-7028: Account Takeover

A malicious attacker could abuse this vulnerability to reset the password of any account in Gitlab without user interaction. Users using 2FA could have their password reset but would still be protected by 2FA authentication. This vulnerability does not affect users using a SSO solution such as Azure AD or Okta.

CVE-2023-5356: Execute slash commands as another user

An incorrect authorization check allows an attacker to abuse Slack/Mattermost integrations to execute slash commands as another user.

Actions recommandées

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

The issues have been addressed in the GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

This security fix for CVE-2023-7028 has been backported to GitLab versions and 16.1.6, 16.2.9, 16.3.7, and 16.4.5 in addition to 16.5.6, 16.6.4, and 16.7.2.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Gitlab has shared methods to review possible attempts to compromise your Gitlab instance using CVE-2023-7028.

Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Références

Mitre - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5356

Mitre - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028