Headline
GitLab patches RCE bug in GitHub import function
Data importation mechanism failed to sanitize imports
Ben Dickson 13 October 2022 at 14:27 UTC
Data importation mechanism failed to sanitize imports
A vulnerability in GitLab allowed attackers to stage various attacks against GitLab servers, including the cloud-hosted GitLab.com platform.
The bug, reported by security researcher ‘yvvdwf’, was caused by the way GitLab imports data from GitHub, which could be exploited to run commands on the host server.
Unsafe imports
GitLab uses Octokit, a library that provides an interface to import data from the GitHub API. To retrieve and present its results, Octokit uses the HTTP client library Sawyer.
However, GitLab directly used the Sawyer results returned by Octokit without sanitizing them, which provided opportunities to insert malicious commands.
Yvvdwf found that one of the parameters used in the import function was prone to command injections against GitLab’s Redis database.
RCE, information theft, and more
On standalone GitLab installations, an attacker could exploit the command injection bug to escalate from Redis to Bash and send commands to the operating system. Any potential attacker would have remote code execution (RCE) access to the host with the privileges of the host process.
While the RCE exploit did not work on GitLab.com, yvvdwf was able to use other Redis commands to replicate data from GitLab.com to a standalone server with a public IP. They were also able to poison GitLab projects through the same mechanism and make them inaccessible.
An attacker with a standalone GitLab installation and an API access token could use the exploit to steal information, inject malicious code, and perform other malicious actions against GitLab.com.
Protecting GitLab servers
The vulnerability was assigned CVE-2022-2884 with a critical base score of 9.9 in the Common Vulnerability Scoring System.
GitLab has already patched the issue in GitLab.com and published a critical security release for GitLab Community Edition and Enterprise Edition.
All users are advised to upgrade their GitLab installation. For organizations that can’t upgrade right away, GitLab advises them to secure their installation by disabling imports until they can patch their system.
While GitLab users will be safe by using the cloud or updated self-hosted version of the platform, other services that use Octakit to interact with GitHub should be wary and make sure that they perform the right checks around the data they pass on and receive through the library.
RELATED Policy-as-code approach counters ‘cloud native’ security risks
Related news
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint
Categories: Exploits and vulnerabilities Categories: News Tags: GitLab Tags: RCE Tags: CVE-2022-2884 Tags: GitHub Tags: import GitLab has released important security fixes to patch for an RCE vulnerability, known as CVE-2022-2884. (Read more...) The post Update now! GitLab issues critical security release for RCE vulnerability appeared first on Malwarebytes Labs.
DevOps platform GitLab this week issued patches to address a critical security flaw in its software that could lead to arbitrary code execution on affected systems. Tracked as CVE-2022-2884, the issue is rated 9.9 on the CVSS vulnerability scoring system and impacts all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, 15.2 before 15.2.3,
Update now to protect against security vulnerability