A critical vulnerability in GitLab, a widely used DevOps platform, has been flagged for active exploitation, leaving thousands of accounts at risk of unauthorised access. The flaw, CVE-2023-7028, is a maximum severity issue that allows attackers to hijack GitLab accounts without user interaction.
In May 2023, GitLab introduced a feature enabling password resets via secondary email addresses. This was intended to aid users who lost access to their primary emails. However, this well-meaning update opened the door for cybercriminals to send reset emails to addresses under their control, subsequently taking over the accounts by clicking the embedded links.
The exploit does not require user interaction but is only effective against accounts without multifactor authentication (MFA). While MFA-protected accounts are safe from unauthorised access, they are still susceptible to password resets. The vulnerability’s severity score is a staggering 10 out of 10, underscoring the urgent need for remediation.
The US Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged this vulnerability’s ongoing exploitation and urged immediate patching. Despite the lack of details on the attacks, the threat level is clear.
The improper access control flaw presents a significant danger to the software development ecosystem. GitLab’s reach across multiple development environments means that a single breach could lead to widespread sabotage or the planting of backdoors in numerous projects. This scenario echoes the infamous SolarWinds supply chain attacks of 2020, which resulted in malware distribution to thousands of unsuspecting users, reports ArsTechnica.
Security scans reveal over 2,100 IP addresses hosting vulnerable GitLab instances, with the highest concentrations in India, the US, Indonesia, Algeria, and Thailand. The number of exposed cases has decreased since the patch was released in January, but the risk remains for unpatched systems.
All civilian federal agencies have been ordered to patch the vulnerability without delay. While CISA did not explicitly mention FMA, it is a recommended security measure for all GitLab users, ideally adhering to the FIDO industry standard.
Also, the agencies have warned GitLab users to not only patch their systems but also to ensure that previously compromised systems are secured. Patching alone cannot undo the damage of past exploits. GitLab has provided incident response guidance for affected users.
In the News: 7 Games coming to Xbox Game Pass in May 2024
