CVE CyberSecurity Database News

CVE-2024-4472 - GitLab Dependency Proxy Credentials Leak via GraphQL Logs — In-Depth Analysis and Exploit Example

Poster -

Table of Contents

Introduction

In June 2024, GitLab disclosed a sensitive security issue, now tracked as CVE-2024-4472. If you use GitLab's Dependency Proxy feature, this is a must-read. This vulnerability means that your dependency proxy credentials could be unintentionally recorded in your GraphQL logs, putting your authentication secrets at risk of exposure to anyone with access to those logs.

What is CVE-2024-4472?

CVE-2024-4472 is a vulnerability found in GitLab CE/EE, affecting all versions from 16.5 up to (but not including) 17.1.7, 17.2 up to 17.2.5, and 17.3 up to 17.3.2.

Here's what happens:
When users interact with the Dependency Proxy, sensitive credentials used for proxy authentication can accidentally be written to the internal GraphQL logs. These logs might be accessible by system administrators or attackers who gain read access, resulting in unintentional credential exposure.

How Does the Vulnerability Happen?

GitLab's Dependency Proxy lets your pipelines cache and fetch container images through GitLab. To facilitate this, authentication credentials (like Bearer tokens) are passed in HTTP headers.

Due to improper filtering in internal logging, the entire payload, including sensitive Authorization headers, ends up stored in GraphQL logs.

In simple terms: If you or an automated job interacts with the Dependency Proxy, the credentials might be sitting in easily readable logs without your knowledge.

Self-managed and Omnibus installations

If you use public, shared, or team-accessible logs, _everyone with log access could read these credentials._

Demonstration: Proof of Concept

Let's see how easily these credentials could show up in logs.

How the Vulnerable Logging Looks

Suppose your CI/CD pipeline pulls an image through the Dependency Proxy. It sends a GraphQL API call with an Authorization header:

POST /api/graphql HTTP/1.1
Host: gitlab.example.com
Authorization: Bearer glpat-SECRET-TOKEN-12345
Content-Type: application/json

{
  "query": "...dependency proxy logic..."
}

In vulnerable GitLab versions, the log might appear like

{
  "timestamp": "2024-06-19T14:22:17Z",
  "method": "POST",
  "path": "/api/graphql",
  "headers": {
    "Authorization": "Bearer glpat-SECRET-TOKEN-12345",
    "Content-Type": "application/json"
  },
  "body": {
    "query": "...dependency proxy logic..."
  },
  "user": "ci_user"
}

Note the Authorization header is sitting in plain-text.

# On a GitLab server, a log grep could find it easily:
grep -i 'Authorization' /var/log/gitlab/gitlab-rails/production_json.log

# Output:
{"Authorization":"Bearer glpat-SECRET-TOKEN-12345", ... }

Any admin, or attacker with log access, can now exfiltrate this secret!

Attackers can use these credentials to impersonate users or CI jobs.

- Dependency Proxy credentials may have permissions to pull/push images or even access more sensitive project data.

This kind of leak makes lateral movement through infrastructure trivial once logs are obtained.

If your logs are backed up to cloud storage, or indexed in log analysis platforms, credentials might stick around for a long time.

Remediation and Mitigation

1. Update now!

Upgrade to at least: 17.1.7, 17.2.5, or 17.3.2.

- 🔗 GitLab Security Releases June 2024

2. Purge credentials
- Rotate any dependency proxy credentials (personal access tokens, CI tokens, etc.) that may have been exposed.

3. Clean your logs

`bash

grep -r 'glpat-' /var/log/gitlab/

Purge, redact, or secure sensitive log files.

4. Restrict log access

Make sure only trusted admins can access GitLab log files.

5. Monitor for abuse
- Look for suspicious uses of affected credentials, particularly in image pulls/pushes.

Official GitLab advisory:

GitLab Critical Security Release: 17.1.7, 17.2.5, and 17.3.2
- CVE-2024-4472 - NIST NVD Entry
- GitLab Dependency Proxy Docs

Summary

CVE-2024-4472 is a serious log-leak problem affecting a wide range of GitLab installations. Until patched, your secrets could be hiding in plain sight. Update now, clean your logs, and stay vigilant!

Timeline

Published on: 09/12/2024 19:15:04 UTC
Last modified on: 09/12/2024 21:34:55 UTC