Threat Response - Critical vulnerability in GitLab (CVE-2023-7028)

A recently disclosed vulnerability in GitLab Enterprise and Community Edition [1] allows an attacker to take over GitLab user accounts without user interaction [2]. Proof-of-concept code to abuse this vulnerability has been released [3], and there are signs of active exploitations [4], which prompts us to release this Threat Response now.

We urge readers to immediately apply patches provided by GitLab to mitigate the vulnerability, and to check application logs for signs of compromise.

Description

On January 11, 2024, GitLab released patches for a number of critical security vulnerabilities [1]. Among them is a critical severity vulnerability tracked as CVE-2023-7028 [2]. This vulnerability allows an attacker to trigger a password reset and supply an unverified email address during the password reset procedure.

The following versions of GitLab Enterprise and Community Edition are affected:

• 16.1 to 16.1.5
• 16.2 to 16.2.8
• 16.3 to 16.3.6
• 16.4 to 16.4.4
• 16.5 to 16.5.5
• 16.6 to 16.6.3
• 16.7 to 16.7.1

GitLab provides patches for all vulnerable versions listed above [5].

On January 13, 2024, proof-of-concept code was released to exploit this vulnerability [3]. Additionally, based on information provided by the Dutch National Cyber Security Center (NCSC) [4] and our own threat intelligence, this vulnerability is now being actively abused.

We strongly recommend installing the patches provided by GitLab to mitigate this vulnerability as soon as possible.

Impact

We estimate the impact of these vulnerabilities as HIGH as it allows attackers to gain unauthorised access to sensitive resources and can potentially be used to execute arbitrary code through deployment automation, or gain access to other systems that interact with data on GitLab.

Risk

We estimate the risk of these vulnerabilities as HIGH, given the simplicity of the exploit and the availability of proof-of-concept code, in combination with the indicators of active abuse.

Mitigation

To mitigate this vulnerability, we urge readers to immediately apply the patches released by GitLab [1,5].

If, for whatever reason, patching is not possible, two-factor authentication should be enforced for all accounts, prioritising administrative accounts. The vulnerability does not allow an attacker to circumvent two-factor authentication. [1]

If an external identity provider like Okta or Azure AD is used for all user sign-ins, then the vulnerability can also be mitigated by disabling password-based authentication altogether as outlined in [1].

What should you do?

Follow the mitigation steps listed above to mitigate the vulnerability.

Additionally, GitLab provides instructions [1] to check application logs for signs of compromise. We recommend following these instructions immediately after applying the patches.

What will Northwave do?

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. 

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: soc@northwave.nl 
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

Disclaimer applies, see below.

Sources

[1]: GitLab Advisory: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

[2]: CVE-2023-7028: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028

[3]: Proof-of-concept code: https://github.com/Vozec/CVE-2023-7028

[4]: NCSC-2024-0016: https://advisories.ncsc.nl/advisory?id=NCSC-2024-0016

[5]: GitLab releases: https://about.gitlab.com/releases/categories/releases/