Summary: GitLab has released a critical security update to address a severe vulnerability (CVE-2024-45409) affecting its Community and Enterprise Editions, which could allow unauthorized access through SAML authentication flaws. Administrators are urged to upgrade to the latest patched versions to mitigate potential exploitation risks.
Threat Actor: Unknown | unknown
Victim: GitLab users | GitLab
Key Point :
- GitLab’s vulnerability arises from improper validation of SAML responses, allowing attackers to bypass authentication.
- Attackers can exploit this flaw to gain unauthorized access to sensitive repositories and business assets.
- Indicators of exploitation include unusual ‘extern_uid’ values and authentication attempts from suspicious IP addresses.
- Administrators are strongly advised to upgrade to patched versions immediately to protect their installations.
In a crucial security release, GitLab has addressed a severe vulnerability (CVE-2024-45409) in its Community Edition (CE) and Enterprise Edition (EE) platforms, impacting all self-managed installations. Administrators are strongly encouraged to upgrade immediately to the newly patched versions 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, or 16.0.10. These versions contain the critical security fix initially released for GitLab versions 17.x.x and 16.11.10.
CVE-2024-45409 is a critical vulnerability affecting the Security Assertion Markup Language (SAML) authentication used by GitLab’s OmniAuth framework. SAML is a single sign-on (SSO) protocol that simplifies user login by allowing access to multiple services with one set of credentials. This vulnerability arises from a flaw in how GitLab validates the SAML responses sent by an Identity Provider (IdP), specifically in the OmniAuth-SAML and Ruby-SAML libraries.
The bug occurs when GitLab mishandles certain elements of the SAML assertion, particularly the extern_uid (external user ID). The extern_uid is a critical identifier used to recognize users across multiple systems. If the SAML response is misconfigured or manipulated, an attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the GitLab instance.
The flaw allows attackers to craft malicious SAML responses that trick GitLab into believing they are legitimate, authenticated users. By bypassing SAML authentication entirely, attackers can gain unrestricted access to sensitive GitLab repositories and potentially compromise source code, intellectual property, and other critical business assets.
GitLab has not explicitly confirmed any cases of exploitation in the wild, but the security bulletin warns that attempts may have already been made. Indicators of possible exploitation include:
- Errors related to ‘RubySaml::ValidationError’ (unsuccessful attempts)
- New or unusual ‘extern_uid’ values in authentication logs (successful attempts)
- Missing or incorrect information in SAML responses
- Multiple ‘extern_uid’ values for a single user (potential account compromise)
- SAML authentication from unfamiliar or suspicious IP addresses
GitLab strongly recommends that all affected self-managed installations be upgraded to one of the patched versions immediately.
Related Posts:
Source: https://securityonline.info/gitlab-backports-fix-for-cve-2024-45409-to-older-versions