Over 5,300 internet-exposed GitLab situations are weak to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month.
The crucial (CVSS rating: 10.0) flaw permits attackers to ship password reset emails for a focused account to an attacker-controlled e-mail tackle, permitting the risk actor to vary the password and take over the account.
Though the flaw doesn’t bypass two-factor authentication (2FA), it’s a important danger for any accounts not protected by this additional security mechanism.
The difficulty impacts GitLab Neighborhood and Enterprise Version variations 16.1 earlier than 16.1.5, 16.2 earlier than 16.2.8, 16.3 earlier than 16.3.6, 16.4 earlier than 16.4.4, 16.5 earlier than 16.5.6, 16.6 earlier than 16.6.4, and 16.7 earlier than 16.7.2.
GitLab launched fixes in 16.7.2, 16.5.6, and 16.6.4, additionally backporting patches to 16.1.6, 16.2.9, and 16.3.7, on January 11, 2024.
Right this moment, 13 days after the security updates had been made accessible, risk monitoring service ShadowServer reviews seeing 5,379 weak GitLab situations uncovered on-line.
Primarily based on GitLab’s function as a software program growth and undertaking planning platform and the sort and severity of the flaw, these servers are liable to provide chain assaults, proprietary code disclosure, API key leaks, and different malicious exercise.
Shadowserver reviews that a lot of the weak servers are in the US (964), adopted by Germany (730), Russia (721), China (503), France (298), the U.Ok. (122), India (117), and Canada (99).
Those that have not patched but could have been compromised already, so utilizing GitLab’s incident response information and checking for indicators of compromise is crucial.
GitLab beforehand shared the next detection suggestions for defenders:
Verify gitlab-rails/production_json.log for HTTP requests to the /customers/password path with params.worth.e-mail consisting of a JSON array with a number of e-mail addresses.Verify gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with a number of e-mail addresses.
Admins who discover situations which were compromised ought to rotate all credentials, API tokens, certificates, and another secrets and techniques, along with enabling 2FA on all accounts and making use of the security replace.
After securing the servers, admins ought to verify for modifications of their developer atmosphere, together with supply code and doubtlessly tampered information.
As of at this time, there have been no confirmed circumstances of lively exploitation of CVE-2023-7028, however this should not be interpreted as a purpose to postpone taking motion.
