Headline
Critical GitLab Bug Under Exploit Enables Account Takeover, CISA Warns
Patch now: Cyberattackers are exploiting CVE-2023-7028 (CVSS 10) to take over and lock users out of GitLab accounts, steal source code, and more.
Source: simon de glanville via Alamy Stock Photo
A critical security vulnerability in GitLab is under active attack, according to CISA. It allows bad actors to send password reset emails for any account to an email address of their choice, thus paving the way for account takeover.
“This will allow attackers to reset the password just as if they were a user that had legitimately forgotten theirs,” says Erich Kron, security awareness advocate at KnowBe4. “From there, the account would belong to the bad actors.”
Further, Kron warned that if adversaries choose to change the legitimate associated email address for a GitLab account they’ve infiltrated, they could then keep the rightful account owner from being able to log in or use the password recovery function to change it back.
CISA added the vulnerability, CVE-2023-7028, to its Known Exploited Vulnerabilities (KEV) catalog as a “GitLab Community and Enterprise Editions Improper Access Control Vulnerability.” The agency noted that the bug is maximum severity with a 10 out of 10 CVSS vulnerability-severity score, and is requiring Federal Civilian Executive Branch (FCEB) agencies to remediate FCEB networks against the active threat.
Sajeeb Lohani, senior director of cybersecurity at Bugcrowd, said there are publicly available exploits for the bug as well, so defenders shouldn’t sit on this one.
“Since the exploit itself is quite simple to pull off, the bar of entry for the exploit is low, implying less skilled hackers will also be able to exploit this issue,” he says. “In simple terms, this is an issue you want to patch promptly.”
CVE-2023-7028: Risk of Proprietary Data, Code Theft
David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure, explains that the stakes are high for organizations because GitLab stores source code and proprietary data.
“There’s always the risk of an attacker injecting malicious code into the supply chain as well, but that requires the changes not being flagged elsewhere,” he explains. “While data exfiltration typically won’t run up against other checks, the point of a source control platform is that you can easily transfer code in and out of it to local machines.”
He recommended that organizations that manage their own GitLab deployments should ensure they have a plan to upgrade to a patched version if they haven’t already done so.
“If that can’t be done immediately, then mitigations should be employed,” he says. “You need to ensure that you have regular password rotation or use a separate identity provider for authentication.”
Larger organizations may want to also consider tools that can identify anomalous activity based on user actions, which could flag compromised accounts for quarantine.
MFA, Zero Trust Are Effective Counters
Defending against these types of attacks goes back to security basics. For instance, Kron suggests that one of the most effective ways to counter attacks such as unauthorized password changes is the use of multifactor authentication (MFA), which attackers keep trying to circumvent.
He added that while MFA is not unhackable, it can add enough complexity to the account takeover process that the bad actors may fail.
“Even if they could reset your password, they will not be able to log in without the second factor,” he says. “This could prevent them from changing the recovery email address, making them unable to lock the rightful account owner out.”
Patrick Tiquet, vice president of security and architecture at Keeper Security, meanwhile notes the most effective method to prevent account-based cyberattacks is to invest in a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor’s access.
He also says a privileged access management (PAM) solution is imperative for IT administrators and security personnel to manage and secure privileged credentials and ensure least-privilege access.
“Additionally, each organization’s patch management strategy needs to have a fast track for critical vulnerabilities with high possible severities — like this one — to ensure they can immediately take action,” Tiquet says.
About the Author(s)
Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.
Related news
GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0 "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to
The company is urging users running vulnerable versions to patch CVE-2024-5655 immediately, to avoid CI/CD malfeasance.
GitLab CE/EE versions prior to 16.7.2 suffer from a password reset vulnerability.
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace. Tracked as CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10. "An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to
GitLab has warned about a critical vulnerability that allows an attacker to change passwords without user interaction.
GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction. Tracked as CVE-2023-7028, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address. The