DEV Community

Cover image for GitLab Vulnerabilities And Security Incidents: 2023 In Review
GitProtect Team for GitProtect

Posted on • Edited on • Originally published at gitprotect.io

GitLab Vulnerabilities And Security Incidents: 2023 In Review

We continue our series of DevOps incidents and failures. This time, we stopped our view on GitLab. What incidents made this secure service provider appear in Tech media in 2023?

Well, let’s jump at the topic and see what vulnerability flaws and threat incidents GitLab had to deal with to help its users protect their data.

GitLab Status Information (Review of 2023)

DECEMBER 2023
GitLab Status info: 3 incidents

NOVEMBER 2023
GitLab Status info: 5 incidents

OCTOBER 2023
GitLab Status info: 6 incidents

SEPTEMBER 2023
GitLab Status info: 5 incidents

Critical flaw detected in GitLab – users must update

Affecting all versions of GitLab Enterprise Edition (EE) from 13.12 to 16.2.7, and the GitLab Community Edition (CE) versions from 16.3 to 16.3.4, the detected critical flaw, CVE-2023-5009 ranked at CVSS score of 9.6 could allow a threat actor to run pipelines as an arbitrary user through the scheduled security scan policies.

The given vulnerability was a bypass of the CVE-2023-3932 security flaw, which GitLab resolved earlier in August 2023. Here is what GitLab says in its advisory:

“This was a bypass of CVE-2023-3932 showing additional impact. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2023-5009.”

If an attacker managed to exploit the vulnerability flaw, he could access sensitive data or use the elevated user permissions to run arbitrary code or make some changes to the source code on the system… both of which might have severe consequences and affect the user’s critical data.

The Hacker News / Security Week

AUGUST 2023
GitLab Status info: 10 incidents

Cyberattacks on GitLab platforms using binaries

In August GitLab fell victim to a highly skilled assault that not only undermined the service provider’s security but also made an innovative Proxyjacking scheme possible. According to the Sisdig Threat Research Team (TRT), the malicious actors in their financially motivated operation, dubbed LABRANT, used binaries written in Go and .NET to compromise the instances of the on-premise version of the GitLab CI/CD platform. Here is what the Sysdig’s report says:

“The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command and control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence.”

Initially, the attackers managed to gain access to the container using the CVE-2021-22205 vulnerability flaw (CVSS score of 10.0) which GitLab already remediated and patched in GitLab versions released on April 14, 2021. Then, once they accessed the server, the threat actors downloaded a malicious script from the C2 server. To hide and redirect connections to a password-protected web server, which hosted a malicious shell script, the hostile actors used a legitimate service, TryCloudflare. Thus, it was hard for the defenders to flag subdomains as malicious. What’s more, they used normal operations as well… How tricky…

The entire LABRANT operation could ultimately open the door for ransomware, data theft, and other follow-on attacks. Thus, in its advisory GitLab urged its users to upgrade their self-managed public-facing GitLab instances to a fixed version as soon as possible.

Moreover, here is the advice GitLab shared to The Hacker News:

“Users impacted by CVE-2021-22205 should follow their organization’s Security Incident and Disaster Recovery processes to deprovision the compromised instance and restore the latest good working backup to a new GitLab instance”.

💡 *What is Proxyjacking? *

Proxyjacking is a malevolent technique in which a threat actor takes over its target’s proxy server and, as a result, can snoop on and alter the victim’s online activity and presence.

DevOps.com / The Hacker News / TechNews

GitLab patches critical RCE bug

A critical severity issue, identified as CVE-2022-2884 with a dangerous base score of 9.9 in CVSS, GitLab patched at the beginning of November. Using the vulnerability threat actors could launch several attacks against GitLab servers. As the company explained in its advisory, the vulnerability could allow “an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.”

Thus, to address the issue found in GitLab CE/EE visions from 11.3.4 to 15.1.5, GitLab strongly recommended upgrading the vulnerable instances to the latest version as soon as possible.

The Daily Swig. Cybersecurity news and views / HELP Net Security

JULY 2023
GitLab Status info: 5 incidents

JUNE 2023
GitLab Status info: 10 incidents

Critical account takeover flaw in GitLab is patched

On June 1st, GitLab released patches to address an account takeover issue discovered in GitLab Enterprise Edition. The severity issue was tracked as CVE-2022-1680 with a CVSS score of 9.9. According to GitLab, the issue was primarily caused by a bug in the open standard System for Cross-domain Identity Management (SCIM), which is available on Premium+ membership.

Thus, by configuring the group SAML SSO, any owner of a Premium group can permit to invite arbitrary users via their email or username. They can then use SCIM to change those users’ email addresses to attacker-controlled ones, which would allow them to take over those accounts if there is no 2FA. What’s more, with the critical issue an attacker could “change the display name and username of the targeted account,” as GitLab explains in its advisory.

Decipher. Security news that informs and inspires

MAY 2023
GitLab Status info: 6 incidents

GitLab security update addresses a critical vulnerability with the max CVSS score

On May 23, 2023, GitLab released version 16.0.1 for GitLab Community Edition and Enterprise Edition with important security fixes, addressing a vulnerability flaw tracked as CVE-2023-2825 with the maximum CVSS score of 10.

According to the GitLab advisory, _“an unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.” _

Thus, after releasing the update, GitLab strongly recommended that all the installations run 16.0.0. version was upgraded to the released version as soon as possible.

GridinSoft.blog

APRIL 2023
GitLab Status info: 8 incidents

MARCH 2023
GitLab Status info: 9 incidents

GitLab critical flaw could allow attackers to read arbitrary files & remotely execute code

According to Threat Post, a vulnerability flaw, which was found via the HackerOne bug bounty platform, was found in GitLab on March 23. The critical vulnerability is a path-traversal flaw that could permit a threat actor to read arbitrary files on the server that was running the app. Thus, an attacker could get access to tokens, configs, private data, and more.

The vulnerability was specifically in GitLab’s UploadsRewriter function, which could be used to duplicate files. The vulnerability was already addressed and patched in GitLab version 12.9.1. Here is what GitLab states:

“An SSRF issue was discovered in the project import note feature. This issue is now mitigated in the latest release and is assigned CVE-2020-10956.”

Threat Post

FEBRUARY 2023
GitLab Status info: 4 incidents

JANUARY 2023
GitLab Status info: 5 incidents

What’s the best way to boost the security of your GitLab data in 2024?

GitLab is a highly secure Git platform that takes the security of its users seriously. It regularly patches vulnerabilities and has a clear communication of the threats it faces.

However, GitLab, as any other service provider follows the Shared Responsibility Model. It means that GitLab and its users share their duties in protecting the data. How do you think who is responsible for your data? Yeap, you are.

Thus, to stay piece of mind that your source code and metadata are safe you should keep up with security best practices, such as restricting and controlling access to your GitLab account, rotating personal access tokens, keeping your finger on the pulse, and updating your app as soon as the new version is released… especially if there are some vulns. Moreover, you shouldn’t forget about the zero-trust approach while building your CI/CD and GitLab backup, which is the final line of source code protection. With secure GitLab backup best practices you will be able to eliminate any disruptions of your workflow continuity due to GitLab outages, your own infrastructure downtime, human errors, or ransomware attacks.

USEFUL RESOURCES:

Blog posts:
GitLab backup and restore best practices
GitLab restore and Disaster Recovery
Top 2023 Resources for the DevOps career roadmap

E-books:
GitLab backup guide

Success stories:
SUE adopts GitProtect.io backups for the GitLab environment to guarantee its Disaster Recovery

✍️ Subscribe to GitProtect DevSecOps X-Ray Newsletter – your guide to the latest DevOps & security insights

🚀 Ensure compliant DevOps backup and recovery with a 14-day free trial

📅 Let’s discuss your needs and see a live product tour

Top comments (0)