A critical GitLab vulnerability that could enable account takeover was added to the Cybersecurity & Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog.
The vulnerability, tracked as CVE-2023-7028, enables an attacker to craft a specially formatted HTTP request that causes a password reset email to be sent to an unverified attacker-controlled email address, a GitLab spokesperson previously told SC Media. The flaw has a critical CVSS score of 10, as assessed by GitLab, and a high score of 7.5, as assessed by NIST.
“This is a great example of a vulnerability that gets a perfect 10, yet in reality is limited to self hosted, rather than SaaS versions. Self-hosted versions are typically accessible only to internal users, limiting the scope to internal attackers or as part of a secondary phase of an external attack,” noted OX Security CEO and Co-founder Neatsun Ziv in an email to SC Media.
The flaw was disclosed and patched on Jan. 11, and added to the KEV catalog on May 1. Further details about the exploitation of CVE-2023-7028 in the wild were not reported, but proof-of-concept (PoC) exploits for the flaw have been circulating online since mid-January.
One researcher who analyzed the vulnerability shortly after its disclosure and published their results on AttackerKB described it as “Very effective and easy to exploit.”
“The ability to take over accounts is not trivial, and even with multifactor authentication enabled, a bad actor could potentially change a password leading to the inability of the true owner of the repository to make any changes,” said Erich Kron, security awareness advocate at KnowBe4, in an email to SC Media. “It’s going to be important to ensure that activity that has taken place within the repositories since the vulnerability was introduced are reviewed and efforts are made to ensure that no malicious code was injected during these times.”
CVE-2023-7028 was first introduced in version 16.1.0, which was released on May 1, 2023, and impacts the following versions of self-managed GitLab instances:
- 16.1 to 16.1.5
- 16.2 to 16.2.8
- 16.3 to 16.3.6
- 16.4 to 16.4.4
- 16.5 to 16.5.5
- 16.6 to 16.6.3
- 16.7 to 16.7.1
The vulnerability can be resolved by updating to at least 16.5.6, 16.6.4 or 16.7.2; fixes have also been backported to versions 16.1.6, 16.2.9 and 16.4.5.
More than 2,100 GitLab instances still vulnerable to attack
Two weeks after the GitLab password reset vulnerability was disclosed, Shadowserver detected more than 5,300 instances still vulnerable to CVE-2023-7028.
As of May 1, more than 2,100 servers were still exposed to CVE-2023-7028 exploitation, according to Shadowserver’s online dashboard.
A world map view of the dashboard shows most vulnerable instances are in the United States, with 355 servers, followed by Russia with 310 and China with 309.
Now that the flaw has been added to CISA’s KEV catalog, federal civilian executive branch (FCEB) agencies are required to patch their GitLab instances by May 22.
“Since the code repository is one of the most important assets a company has, not patching it may lead to catastrophic results, as we’ve seen in previous software supply chain attacks,” Ziv said. “Activating two factor authentication (MFA) prevents real account take over, so we strongly advise you to do so regardless of your current exposure to this vulnerability.”
