Alert! Hackers exploiting unauthenticated RCE vulnerability in GitLab in the wild
Now corrected critical remote code execution (RCE) vulnerability in GitLab’s web interface has been detected to be actively exploited in the wild, cybersecurity researchers warn, making large numbers of GitLab instances accessible on the internet susceptible to attacks.
Track as CVE-2021-22205, the problem is related to incorrect validation of user-supplied images which results in the execution of arbitrary code. The vulnerability, which affects all versions from 11.9, has since been address by GitLab on April 14, 2021 in versions 13.8.8, 13.9.6 and 13.10.3.
In one of the real world attacks detailed by HN Security last month, two user accounts with administrator privileges were registered on a publicly accessible GitLab server owned by an anonymous client by exploiting the aforementioned flaw to download a malicious payload that leads to execution remote from arbitrary orders, including obtaining elevated permissions.
Although the flaw was initially considered an authenticated RCE case and assigned a CVSS score of 9.9, the severity index was revised to 10.0 on September 21, 2021 due to the fact that ‘it can also be triggered by unauthenticated threat actors.
“Despite the small change in the CVSS score, the shift from authenticated to unauthenticated has big implications for advocates,” cybersecurity firm Rapid7 said. noted in an alert posted on Monday.
Despite the public availability of patches for more than six months, of the 60,000 GitLab installations accessible on the Internet, only 21% of the instances would be fully patched against the problem, with the remaining 50% still vulnerable to RCE attacks.
In light of the unauthenticated nature of this vulnerability, exploitation activity is expected to increase, making it critical to update GitLab users to the latest version as soon as possible. “Additionally, ideally, GitLab should not be a service accessible over the Internet,” the researchers said. “If you need to access your GitLab from the Internet, consider placing it behind a VPN.”
Additional technical analysis related to vulnerability is available here.