A very severe vulnerability in GitLab software was detected earlier this year. A flaw which exposes and seriously threatens the security of user accounts and remains exploited to this day.
GitLab, the version management and collaborative development platform based on Git, is facing a major vulnerability which has alerted the American federal authorities. Designated CVE-2023-7028, this flaw allows attackers to access GitLab accounts by exploiting a recently implemented password reset feature, severely compromising the security of development environments.
This offers tools comparable to GitHub, a service which was also the victim of an attack two weeks ago.
A problematic flaw
The CVE-2023-7028 flaw has been classified with a severity level of 10 out of 10 indicating a very significant risk. This, introduced following a modification (which had also caused some controversy) made to the platform, allowed hackers to take control of user accounts by exploiting a new password reset functionality.
Designed to help users who have lost access to their primary email address, this feature allows password reset via a link sent to a secondary email address. However, malicious individuals can completely abuse this process by sending password reset emails to accounts they control. By clicking on the link in the email, they can impersonate legitimate users and access their GitLab accounts. This is indeed what happened.
Active exploitation of this flaw has been confirmed by US federal authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), which added it to its list of known exploited vulnerabilities. The severity of this flaw lies in the fact that GitLab is a central platform for many development environments, providing access to critical resources and sensitive data. If compromised, these resources could be used to deploy malware, as in the case of the attack that hit SolarWinds in 2020.
Consequences and prevention measures
Despite the release of a patch on January 22, a week after CVE-2023-7028 was publicly disclosed, scans by the Shadowserver organization revealed that more than 2,100 IP addresses still hosted vulnerable GitLab instances ( there were 5,300 in January). Faced with this alarming situation, CISA classified this vulnerability as still actively exploited and ordered civilian federal agencies to implement the fix immediately.
CISA also drew attention to the fact that applying the patch is not enough to secure systems already compromised by exploitation of the flaw. The agency thus encouraged users to follow the recommendations given by the platform on a dedicated section of their site. If you use GitLab, consider taking a look.
Source : Ars Technica
1