CVE-2022-4201: Uncovering a Blind SSRF Vulnerability in GitLab CE/EE 11.3 to 15.4.6, 15.5.5, and 15.6.1 — A Threat to Malicious GitLab Runner Configurations

In today's post, we will dive deep into the world of server-side request forgery (SSRF) vulnerabilities, specifically the recently discovered CVE-2022-4201 affecting GitLab. GitLab is an open-source web-based Git repository that allows users to collaborate on code while providing a user-friendly web interface for managing projects. This vulnerability affects GitLab versions from 11.3 to 15.4.5, 15.5.5, and 15.6.. It poses a severe threat to users who may unwittingly expose sensitive data on internal networks to malicious actors. We will take a closer look at the exploit details and how it affects GitLab CE/EE instances.

Anatomy of the Vulnerability

CVE-2022-4201 is a blind SSRF vulnerability that essentially allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. This vulnerability exists because GitLab does not properly sanitize user input when interacting with GitLab Runners. As a result, an attacker can trick the GitLab instance into making requests to arbitrary internal or external endpoints. This is particularly dangerous, as it can potentially allow the attacker to exfiltrate sensitive data, pivot further into the network, or trigger specific actions leading to a full compromise of the GitLab instance.

Exploit Details

To exploit this vulnerability, the attacker must first register a malicious GitLab Runner with the target GitLab instance by running the GitLab Runner executable using the "register" subcommand to input:

./gitlab-runner register --url http://victim-gitlab-instance --token REGISTRATION-TOKEN --description "malicious-runner" --executor "shell" --tag-list "ssrf"

Once registered, the attacker must then create or modify a '.gitlab-ci.yml' file of a project to configure the malicious Runner. Add the following payload, replacing 'localhost' with the desired internal address to connect:

ssrf-job:
  tags:
    - ssrf
  script: curl http://localhost

After pushing these changes, the GitLab Runner will execute the 'curl' command from the '.gitlab-ci.yml' variable, which may disclose sensitive information, trigger actions, or create further vulnerabilities in the targeted internal system.

Mitigation

The GitLab security team acknowledged this vulnerability and released patches to address the issue. Users running vulnerable versions must update to the latest versions — 15.4.6, 15.5.5, or 15.6.1 — to fix the vulnerability. Furthermore, regular monitoring of GitLab Runner registrations and restricting public access to registration tokens can also help to prevent exploitation.

For detailed information on CVE-2022-4201, consult the following references

- GitLab Security Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/301888
- GitLab Runner Documentation: https://docs.gitlab.com/runner/
- NVD details: https://nvd.nist.gov/vuln/detail/CVE-2022-4201

Conclusion

We hope this post sheds light on the severity and exploitation of the CVE-2022-4201 vulnerability in GitLab CE/EE. While this particular vulnerability is now patched, it is a reminder to developers, security teams, and project maintainers to stay aware of potential security risks within their applications and promptly address vulnerabilities when they are discovered.

Timeline

Published on: 01/27/2023 22:15:00 UTC
Last modified on: 02/06/2023 15:23:00 UTC