GitLab released an advisory on Thursday, March 31st regarding a new critical vulnerability found in their product, currently being tracked as CVE-2022-1162. This vulnerability can lead to vulnerable account takeover when exploited. GitLab has released a security patch, and Barracuda MSP recommends updating GitLab and changing affected users’ passwords as soon as possible.
Technical Detail & Additional Information
What is the threat?
CVE-2022-1162, the threat details a hardcoded password being set for accounts registered using OmniAuth provider (OAuth, LDAP, SAML) in Gitlab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5 and 14.9 prior to 14.9.2. Accounts that are created using OmniAuth provider prior to the above-mentioned versions have a set password which, if known to a prospective attacker, are easily compromised., This gives an attacker full control of any account for which the password was not changed. At this time, GitLab has stated that they are not aware of any accounts being compromised by this vulnerability, and they have “executed a reset of GitLab.com passwords for a selected set of users” as a precaution.
Why is it noteworthy?
Hardcoded passwords are written in plaintext within the source code. This level of exposure is a critical security risk, as it provides easy access to account information. GitLab has developed a script that can be used by customers to identify accounts that were created during a certain time period which could be vulnerable. Customers are encouraged to manually change passwords to these identified accounts if they haven’t done so already.
What is the exposure or risk?
If this vulnerability were exploited, it would provide an attacker complete control of the GitLab account in question. The attacker can then compromise any existing projects that the account has access to, which can lead to further damage downstream depending on the nature of the project in GitLab.
What are the recommendations?
Barracuda MSP recommends updating all GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 to the latest version immediately to prevent any account compromise. Additionally, GitLab has created a script (which can be found here) to identify user accounts potentially impacted by this vulnerability.
For more in-depth information about the recommendations, please visit the following links:
- Source 1: https://securityaffairs.co/wordpress/129730/hacking/cve-2022-1162-flaw-gitlab.html
- Source 2: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1162
- Source 3: https://docs.gitlab.com/ee/security/reset_user_password.html#reset-a-users-password
If you have any questions, please contact our Security Operations Center.
This post was based on a threat advisory issued by our Barracuda Managed XDR team. For more info on how to best prepare your MSP business to protect clients from cyberthreats, visit the Barracuda Managed XDR page.