Cyber Security News

GitLab Releases Critical Security Patch for CVE-2024-45409 (CVSS 10) Vulnerability

Cyware

Summary: GitLab has released an urgent security update to address a critical vulnerability (CVE-2024-45409) affecting both Community and Enterprise Editions, which poses a severe risk by allowing unauthenticated attackers to forge SAML responses and gain unauthorized access to sensitive projects. The flaw is linked to improper signature verification in the Ruby-SAML library, necessitating immediate updates to prevent potential exploitation.

Threat Actor: Unauthenticated attacker | unauthenticated attacker
Victim: GitLab users | GitLab

Key Point :

  • The vulnerability allows attackers to bypass authentication and access sensitive GitLab projects without valid credentials.
  • GitLab has released security patches and recommends enabling two-factor authentication and disabling SAML two-factor bypass options for self-managed instances.
  • Organizations are encouraged to monitor logs for indicators of exploitation attempts and to upgrade to the latest patched versions immediately.

GitLab has issued an urgent security update addressing a critical vulnerability that affects both GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw, identified as CVE-2024-45409, carries a CVSS score of 10, marking it as a highly severe threat. This vulnerability is rooted in the Ruby-SAML library, which is used to handle SAML authentication for GitLab instances.

CVE-2024-45409 exposes GitLab instances to a potentially catastrophic security breach. The vulnerability stems from improper signature verification in certain versions of the Ruby-SAML library (<=12.2 and 1.13.0 through 1.16.0). This flaw allows an unauthenticated attacker to forge a SAML response, effectively granting them access to GitLab as any arbitrary user.

In practical terms, this means that a threat actor could bypass authentication checks and gain access to sensitive GitLab projects, including source code repositories, without needing to supply valid credentials.

GitLab has responded by releasing security patches for all affected versions, which includes updates to both the omniauth-saml dependency (to version 2.2.1) and the ruby-saml library (to version 1.17.0).

For self-managed GitLab users, there are several key mitigation steps to prevent successful exploitation of this vulnerability:

  1. Enable two-factor authentication (2FA) for all user accounts on the self-managed instance. It is important to note that enabling identity provider (IdP) multi-factor authentication does not mitigate this vulnerability—GitLab’s built-in 2FA must be used.
  2. Disable the SAML two-factor bypass option in GitLab to prevent attackers from leveraging this method to circumvent additional security layers.

GitLab has provided guidelines for identifying exploitation attempts via application and authentication logs. Indicators of unsuccessful exploitation attempts include the occurrence of RubySaml::ValidationError in the logs, often due to incorrect callback URLs or certificate signing issues.

On the other hand, successful exploitation will leave traces in SAML-related log events. Attackers will attempt to set arbitrary extern_uid values to mimic legitimate authentication sessions, making it crucial for administrators to scrutinize unexpected or unknown extern_uid fields.

{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =u003e false, extern_uid =u003e exploit-test-user"}
Example exploit authentication event in the application_json log file, with a extern_id set in exploit PoC code

For organizations that forward GitLab logs to a SIEM, GitLab has provided Sigma-based detection rules to help identify potential exploitation attempts. These detection rules focus on identifying unusual patterns such as:

  • Multiple extern_uid values for a single authenticated SAML user.
  • IP address mismatches between SAML authentication events and other IdP-related events for the same user, which could indicate unauthorized access.

All GitLab installations affected by CVE-2024-45409 are urged to upgrade to the latest patched versions immediately (17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10). Given the critical nature of this vulnerability and the potential for remote, unauthenticated access, delaying the update could result in a severe security breach.

Related Posts:

Source: https://securityonline.info/gitlab-releases-critical-security-patch-for-cve-2024-45409-vulnerability

Tags: EXPLOIT, VULNERABILITY, MONITOR, BREACH, CVE, PATCH, SIEM