More than 30,000 GitLab Servers Remain Unpatched
Critical Bug Still Exploitable.
More than half of all GitLab installations are still vulnerable to a major unauthenticated, remote code execution GitLab flaw that was fixed in April 2021.
GitLab is a web-based DevOps lifecycle solution developed by GitLab Inc. that includes a Git repository manager, wiki, issue tracking, and a continuous integration and deployment pipeline with an open-source license.
The code was originally built in Ruby, with some components subsequently rewritten in Go, as a source code management solution for software development collaboration within a team. It eventually grew into an integrated software development life cycle solution, and then into the entire DevOps life cycle.
The CVE-2021-22205 vulnerability, which has a CVSS v3 score of 10.0, allows an unauthenticated, remote attacker to execute arbitrary instructions as the ‘git’ user (repository admin).
This flaw grants a remote attacker complete control over the repository, including the ability to delete, change, and steal source code.
In June 2021, hackers started to attack internet-facing GitLab servers to create new users and provide them administrative privileges.
The attackers took advantage of a functional exploit released on GitHub on June 4, 2021, which allowed them to take advantage of the ExifTool component’s vulnerability.
To utilize the vulnerability, threat actors do not need to login, use a CSRF token, or even use a legitimate HTTP endpoint.
With the exploitation still going on, Rapid7 researchers started to investigate the number of unpatched systems and identify the magnitude of the underlying issue.
On April 14, 2021, GitLab published a security release to address CVE-2021-22205, a critical remote code execution vulnerability in the service’s web interface. At the time, GitLab described the issue as an authenticated vulnerability that was the result of passing user-provided images to the service’s embedded version of ExifTool. A remote attacker could execute arbitrary commands as the git user due to ExifTool’s mishandling of DjVu files, an issue that was later assigned CVE-2021-22204.
CVE-2021-22205 was initially assigned a CVSSv3 score of 9.9. However, on September 21, 2021 GitLab revised the CVSSv3 score to 10.0. The increase in score was the result of changing the vulnerability from an authenticated issue to an unauthenticated issue. Despite the tiny move in CVSS score, a change from authenticated to unauthenticated has big implications for defenders. Rapid7’s vulnerability research team has a full root cause analysis of CVE-2021-22205 in AttackerKB.
To fix the issue, administrators must update to one of the versions, 13.10.3, 13.9.6, 13.8.8.
As explained by BleepingComputer, whether GitLab Enterprise Edition (EE) or GitLab Community Edition (GE) is used, any version before 11.9 is vulnerable to abuse (CE).