CISA identifies GitLab vulnerability under exploit

Hope you have two-factor

The US cyber agency has told federal agencies to patch a GitLab flaw that makes accounts vulnerable to takeover.

The US Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all federal agencies patch a critical GitLab vulnerability in both Community and Enterprise editions, which is under active exploit.

We know the flaw, tracked as CVE-2023-7028, is being exploited because CISA added it to the Known Exploited Vulnerabilities list, according to The Register. Federal agencies have a maximum of 21 days to patch vulnerabilities on this list.

GitLab first announced the flaw in January, assigning it the maximum CVE severity rating of 10. However, the National Vulnerability Database only assigns it a score of 7.5.

Astute readers will have noticed that the tracking number contains '2023', meaning the vulnerability has existed since last year - May 2023, according to GitLab. However, it has only recently been actively exploited and requires a fix.

The flaw sits in GitLab version 16.1.0, released in May last year. This version introduced a change whereby users could reset their account passwords using a different email address.

The following versions are vulnerable:

• 16.1 to 16.1.5
• 16.2 to 16.2.8
• 16.3 to 16.3.6
• 16.4 to 16.4.4
• 16.5 to 16.5.5
• 16.6 to 16.6.3
• 16.7 to 16.7.1

A bug in the verification process meant attackers who knew a victim's email address could intercept the password reset email and take over the account for themselves, using an edited HTTP request.

Two-factor authentication, which should be a standard security practice, completely shuts the attack down - which is a good thing, considering how widely used GitLab is.

Accessing a legitimate user's GitLab account could open up vulnerabilities up and down the software supply chain.

Supply chain attacks are a potent type of strike, where by infiltrating one company a threat actor gets access to many others. In just the last six months we've seen them used to compromise Bank of America and Okta, although perhaps the most well known in recent years was the Solarwinds hack.

The number of vulnerable GitLab environments has fallen from around 5,500 in January to fewer than 2,400 today, according to Shadowserver, with most - over 1,000 - in Europe.