To exploit this issue, a malicious email was sent to an engineer with access to the project. The email contained a link that would load a specially crafted page and inject a script into the project, which would then execute a query against an external database.
Note that this is not a security issue in GitLab. The source code for these vulnerable external services was publicly available and could be exploited by anyone.
GitLab has released a security fix to address this issue in version 8.10.
Intrusion Detection System (IDS) data suggests that this was an active target for attackers. The majority of logins on the affected project were successful, and the most common issue observed was an “invalid password”.
GitLab has released a security fix to address this issue in version 8.10.
GitLab Triple-Protection Security Feature
You can protect your GitLab installation by adding the "GitLab Triple-Protection Security Feature" to your installation.
This security feature allows GitLab to perform vulnerability scans on a new or existing project with an active vulnerability scan.
A vulnerability scan is initiated automatically when the gitlab-scanner service starts and has one of three results:
No vulnerabilities were found
Vulnerabilities were found but not executed, meaning they are no longer active in the project
Vulnerabilities were found and successfully executed, meaning the vulnerable project is now protected against these known vulnerabilities
Summary of the Issue
This is not a security issue in GitLab. The source code for these vulnerable external services was publicly available and could be exploited by anyone.
GitLab has released a security fix to address this issue in version 8.10.
Remote Code Execution (RCE)
The vulnerability appears to be an exploitable RCE.
A malicious user could have used this vulnerability to execute arbitrary code on the system, including commands with root privileges.
The following proof of concept shows how it would be possible to exploit this issue:
/usr/bin/python -c 'import pty; pty.spawn("/bin/bash")'
Timeline
Published on: 04/01/2022 23:15:00 UTC
Last modified on: 04/13/2022 15:53:00 UTC