Over 5,300 internet-exposed GitLab cases are weak to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month.
The vital (CVSS rating: 10.0) flaw permits attackers to ship password reset emails for a focused account to an attacker-controlled e-mail handle, permitting the menace actor to vary the password and take over the account.
Although the flaw doesn’t bypass two-factor authentication (2FA), it’s a vital danger for any accounts not protected by this additional safety mechanism.
The challenge impacts GitLab Community and Enterprise Edition variations 16.1 earlier than 16.1.5, 16.2 earlier than 16.2.8, 16.3 earlier than 16.3.6, 16.4 earlier than 16.4.4, 16.5 earlier than 16.5.6, 16.6 earlier than 16.6.4, and 16.7 earlier than 16.7. 2.
GitLab launched fixes in 16.7.2, 16.5.6, and 16.6.4, additionally backporting patches to 16.1.6, 16.2.9, and 16.3.7, on January 11, 2024.
Today, 13 days after the safety updates had been made accessible, menace monitoring service ShadowServer reviews seeing 5,379 weak GitLab cases uncovered on-line.
Based on GitLab’s position as a software program growth and mission planning platform and the kind and severity of the flaw, these servers are susceptible to provide chain assaults, proprietary code disclosure, API key leaks, and different malicious exercise.
Shadowserver reviews that many of the weak servers are within the United States (964), adopted by Germany (730), Russia (721), China (503), France (298), the UK (122), India (117), and Canada (99).
Those who have not patched but might have been compromised already, so utilizing GitLab’s incident response information and checking for indicators of compromise is vital.
GitLab beforehand shared the next detection ideas for defenders:
Check gitlab-rails/production_json.log for HTTP requests to the /customers/password path with params.worth.e-mail consisting of a JSON array with a number of e-mail addresses.Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with a number of e-mail addresses.
Admins who discover cases which have been compromised ought to rotate all credentials, API tokens, certificates, and every other secrets and techniques, along with enabling 2FA on all accounts and making use of the safety replace.
After securing the servers, admins ought to test for modifications of their developer surroundings, together with supply code and doubtlessly tampered recordsdata.
As of at the moment, there have been no confirmed circumstances of energetic exploitation of CVE-2023-7028, however this shouldn’t be interpreted as a cause to postpone taking motion.