We continue our series of DevOps incidents and failures. This time, we stopped our view on GitLab. What incidents made this secure service provider appear in Tech media in 2023?
Well, let’s jump at the topic and see what vulnerability flaws and threat incidents GitLab had to deal with to help its users protect their data.
DECEMBER 2023
GitLab Status info: 3 incidents
NOVEMBER 2023
GitLab Status info: 5 incidents
OCTOBER 2023
GitLab Status info: 6 incidents
SEPTEMBER 2023
GitLab Status info: 5 incidents
Critical flaw detected in GitLab – users must update
Affecting all versions of GitLab Enterprise Edition (EE) from 13.12 to 16.2.7, and the GitLab Community Edition (CE) versions from 16.3 to 16.3.4, the detected critical flaw, CVE-2023-5009 ranked at CVSS score of 9.6 could allow a threat actor to run pipelines as an arbitrary user through the scheduled security scan policies.
The given vulnerability was a bypass of the CVE-2023-3932 security flaw, which GitLab resolved earlier in August 2023. Here is what GitLab says in its advisory:
“This was a bypass of CVE-2023-3932 showing additional impact. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2023-5009.”
If an attacker managed to exploit the vulnerability flaw, he could access sensitive data or use the elevated user permissions to run arbitrary code or make some changes to the source code on the system… both of which might have severe consequences and affect the user’s critical data.
The Hacker News / Security Week
AUGUST 2023
GitLab Status info: 10 incidents
Cyberattacks on GitLab platforms using binaries
In August GitLab fell victim to a highly skilled assault that not only undermined the service provider’s security but also made an innovative Proxyjacking scheme possible. According to the Sisdig Threat Research Team (TRT), the malicious actors in their financially motivated operation, dubbed LABRANT, used binaries written in Go and .NET to compromise the instances of the on-premise version of the GitLab CI/CD platform. Here is what the Sysdig’s report says:
“The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command and control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence.”
Initially, the attackers managed to gain access to the container using the CVE-2021-22205 vulnerability flaw (CVSS score of 10.0) which GitLab already remediated and patched in GitLab versions released on April 14, 2021. Then, once they accessed the server, the threat actors downloaded a malicious script from the C2 server. To hide and redirect connections to a password-protected web server, which hosted a malicious shell script, the hostile actors used a legitimate service, TryCloudflare. Thus, it was hard for the defenders to flag subdomains as malicious. What’s more, they used normal operations as well… How tricky…
The entire LABRANT operation could ultimately open the door for ransomware, data theft, and other follow-on attacks. Thus, in its advisory GitLab urged its users to upgrade their self-managed public-facing GitLab instances to a fixed version as soon as possible.
Moreover, here is the advice GitLab shared to The Hacker News:
“Users impacted by CVE-2021-22205 should follow their organization’s Security Incident and Disaster Recovery processes to deprovision the compromised instance and restore the latest good working backup to a new GitLab instance”.
💡 *What is Proxyjacking? *
Proxyjacking is a malevolent technique in which a threat actor takes over its target’s proxy server and, as a result, can snoop on and alter the victim’s online activity and presence.
DevOps.com / The Hacker News / TechNews
GitLab patches critical RCE bug
A critical severity issue, identified as CVE-2022-2884 with a dangerous base score of 9.9 in CVSS, GitLab patched at the beginning of November. Using the vulnerability threat actors could launch several attacks against GitLab servers. As the company explained in its advisory, the vulnerability could allow “an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.”
Thus, to address the issue found in GitLab CE/EE visions from 11.3.4 to 15.1.5, GitLab strongly recommended upgrading the vulnerable instances to the latest version as soon as possible.
The Daily Swig. Cybersecurity news and views / HELP Net Security
JULY 2023
GitLab Status info: 5 incidents
JUNE 2023
GitLab Status info: 10 incidents
Critical account takeover flaw in GitLab is patched
On June 1st, GitLab released patches to address an account takeover issue discovered in GitLab Enterprise Edition. The severity issue was tracked as CVE-2022-1680 with a CVSS score of 9.9. According to GitLab, the issue was primarily caused by a bug in the open standard System for Cross-domain Identity Management (SCIM), which is available on Premium+ membership.
Thus, by configuring the group SAML SSO, any owner of a Premium group can permit to invite arbitrary users via their email or username. They can then use SCIM to change those users’ email addresses to attacker-controlled ones, which would allow them to take over those accounts if there is no 2FA. What’s more, with the critical issue an attacker could “change the display name and username of the targeted account,” as GitLab explains in its advisory.
Decipher. Security news that informs and inspires
MAY 2023
GitLab Status info: 6 incidents
GitLab security update addresses a critical vulnerability with the max CVSS score
On May 23, 2023, GitLab released version 16.0.1 for GitLab Community Edition and Enterprise Edition with important security fixes, addressing a vulnerability flaw tracked as CVE-2023-2825 with the maximum CVSS score of 10.
According to the GitLab advisory, _“an unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.” _
Thus, after releasing the update, GitLab strongly recommended that all the installations run 16.0.0. version was upgraded to the released version as soon as possible.
APRIL 2023
GitLab Status info: 8 incidents
MARCH 2023
GitLab Status info: 9 incidents
GitLab critical flaw could allow attackers to read arbitrary files & remotely execute code
According to Threat Post, a vulnerability flaw, which was found via the HackerOne bug bounty platform, was found in GitLab on March 23. The critical vulnerability is a path-traversal flaw that could permit a threat actor to read arbitrary files on the server that was running the app. Thus, an attacker could get access to tokens, configs, private data, and more.
The vulnerability was specifically in GitLab’s UploadsRewriter function, which could be used to duplicate files. The vulnerability was already addressed and patched in GitLab version 12.9.1. Here is what GitLab states:
“An SSRF issue was discovered in the project import note feature. This issue is now mitigated in the latest release and is assigned CVE-2020-10956.”
FEBRUARY 2023
GitLab Status info: 4 incidents
JANUARY 2023
GitLab Status info: 5 incidents
What’s the best way to boost the security of your GitLab data in 2024?
GitLab is a highly secure Git platform that takes the security of its users seriously. It regularly patches vulnerabilities and has a clear communication of the threats it faces.
However, GitLab, as any other service provider follows the Shared Responsibility Model. It means that GitLab and its users share their duties in protecting the data. How do you think who is responsible for your data? Yeap, you are.
Thus, to stay piece of mind that your source code and metadata are safe you should keep up with security best practices, such as restricting and controlling access to your GitLab account, rotating personal access tokens, keeping your finger on the pulse, and updating your app as soon as the new version is released… especially if there are some vulns. Moreover, you shouldn’t forget about the zero-trust approach while building your CI/CD and GitLab backup, which is the final line of source code protection. With secure GitLab backup best practices you will be able to eliminate any disruptions of your workflow continuity due to GitLab outages, your own infrastructure downtime, human errors, or ransomware attacks.
USEFUL RESOURCES:
Blog posts:
GitLab backup and restore best practices
GitLab restore and Disaster Recovery
Top 2023 Resources for the DevOps career roadmap
E-books:
GitLab backup guide
Success stories:
SUE adopts GitProtect.io backups for the GitLab environment to guarantee its Disaster Recovery
✍️ Subscribe to GitProtect DevSecOps X-Ray Newsletter – your guide to the latest DevOps & security insights
🚀 Ensure compliant DevOps backup and recovery with a 14-day free trial
📅 Let’s discuss your needs and see a live product tour
Top comments (0)