In recent years, the GitLab platform has become a popular, widely used solution for organizations seeking to manage their source code, continuous integration and continuous delivery pipelines, and project coordination. GitLab's Community Edition (CE) and Enterprise Edition (EE) are two popular offerings of the platform, providing organizations with different feature sets and support levels to address their unique requirements. Given the importance of GitLab to many organizations, it is imperative to be aware of any vulnerabilities that may be exploited by malicious actors.
Vulnerability Details
A vulnerability (CVE-2018-17450) was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1, which poses a significant risk to users of affected versions of the platform. This vulnerability is due to Server-Side Request Forgery (SSRF) through the Kubernetes integration feature, leading to possible disclosure of a Google Cloud Platform (GCP) service token.
Server-Side Request Forgery (SSRF) is an attack vector that forces a server to execute malicious requests on behalf of an attacker, bypassing security measures and potentially exfiltrating data or triggering actions behind firewalls or other restricted network areas. In this case, the SSRF vulnerability in Kubernetes integration for GitLab allows an attacker to gain unauthorized access to a GCP service token, leading to potential exploitation of GCP resources and sensitive data.
The vulnerability in the GitLab codebase can be exemplified by the following code snippet
# gitlab/app/services/clusters/clusters_finder.rb
def execute
@current_user.authorized_projects(params)
.with_clusters
.preload_cluster_platform_kubernetes
end
# gitlab/app/services/clusters/kuberenetes_namespace_for_service_account_finder.rb
def execute
Clusters::KubernetesNamespace.find_by(
service_account_token: valid_token
)
rescue JWT::DecodeError
nil
end
In these code snippets, the execute methods in both the ClustersFinder and KubernetesNamespaceForServiceAccountFinder classes have the potential to trigger the SSRF vulnerability by processing unauthorized requests from external sources.
Links to Original References
- GitLab Issue #62697
- GitLab Merge Request #25127
Exploit Details
An attacker leveraging the SSRF vulnerability in the Kubernetes integration feature of GitLab can craft a malicious request targeting the platform, potentially obtaining unauthorized access to a GCP service token.
Identify a target GitLab user with authorization to access Kubernetes integration features.
3. Craft a malicious request mimicking a legitimate request to the GitLab API, including the GCP service token.
Mitigation
Users of GitLab Community and Enterprise Editions are strongly recommended to update their installations to the fixed version (11.1.7, 11.2.4, or 11.3.1) to address the SSRF vulnerability in Kubernetes integration. Further security measures should be put in place, such as network segmentation, access control, and activity monitoring, to mitigate potential risks related to GCP service tokens and other sensitive cloud resources.
Timeline
Published on: 04/15/2023 23:15:00 UTC
Last modified on: 04/25/2023 20:25:00 UTC