www.belgium.be Logo of the federal government

WARNING: CRITICAL ARBITRARY FILE WRITE VULNERABILITY IN GITLAB CE/EE, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-16
Version: 
1.0
Affected software: 
GitLab CE/EE 16.0 prior to 16.5.8
GitLab CE/EE 16.6 prior to 16.6.6
GitLab CE/EE 16.7 prior to 16.7.4
GitLab CE/EE 16.8 prior to 16.8.1
Type: 
Arbitrary File Write
CVE/CVSS: 

CVE-2024-0402 :CVSS 9.9(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Sources

https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/

Risks

A Critical vulnerability was discovered in Gitlab CE/EE allowing a malicious attacker to compromise the Gitlab server with low privilege access. The compromised system could be used to exfiltrate sensitive data from your organization, and potentially used to pivot into other networks to compromise the entire organization.

Description

CVE-2024-0402 is an arbitrary write vulnerability which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. This vulnerability can be used by a malicious attacker to upload webshells or other malware to your Gitlab instance. The uploaded malicious files can be used to compromise the Gitlab server.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. This issue was resolved in versions 16.6.6, 16.7.4, and 16.8.1, and has been backported to version 16.5.8.

The Centre for Cybersecurity Belgium strongly recommends organizations to disable user sign-up functionality in their Gitlab environment to limit the potential attack surface. Additionally, the CCB recommends placing any Gitlab instances behind a zero-trust or VPN network for a strong defence in depth approach.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

More Information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0402