On January 11, 2024, GitLab released an update with the official warning regarding the critical security violation fix. The vulnerability allows the user to send the account password reset form to an unverified email address, effectively granting a stranger access to the repository. Almost all 16.x versions of their software package is susceptible to the exploit.
GitLab Zero-Click Vulnerability Allows Account Hijacking
As far as the company’s official description of the CVE-2023-7028 goes, a handful of versions contain a critical bug. Using it, a potential adversary can send the password reset email to an arbitrary email address. Therehence, hackers can effortlessly hijack accounts of any access privileges. Such ease of exploitation and severity of potential outcomes is what gives this vulnerability the CVSS score of 10/10.
By accessing the repository, attackers can effectively do whatever they want with the code stored on it. Selling corporate secrets, seeking for potential vulnerabilities in the software, injecting malicious code hoping to compromise employees’ systems or even launching a supply chain attack – pick the one you like. Patching this should not be just urgent – it must be done immediately.
As GitLab notes, the activated 2FA on the account would have saved it from hijacking. Two-factor auth is not susceptible to the bug and should still be verified in a proper way. Still, there are enough people who do not care about the security of Git repository access, meaning that CVE-2023-7028 has an enormous field of application.
GitLab 0-click Vulnerability Fixes Available
The company did not just release a security notification, but made it a part of patch note for an update that fixes all this mess. According to the information, only version 16 is vulnerable, specifically a lineup of its minor updates:
- 16.1 to 16.1.5
- 16.2 to 16.2.8
- 16.3 to 16.3.6
- 16.4 to 16.4.4
- 16.5 to 16.5.5
- 16.6 to 16.6.3
- 16.7 to 16.7.1
The latest versions available are 16.5.6, 16.6.4 and 16.7.2, meaning there are no options for users of versions 16.4 and below. However, GitLab also provides backports of the vulnerability to 16.1.6, 16.2.9, 16.3.7, 16.4.5, 16.5.6, 16.6.4, meaning that there is no need to update to the most recent version. As there are no mitigation options offered (and possible), updates remain the only choice.
How to protect against software vulnerabilities?
As I mentioned above, there is one way to avoid account hijacking through this vulnerability – using 2FA. Still, every specific vulnerability requires its own protection method, which makes it quite difficult to give universal advice. For this specific case, for example, a security solution is completely useless, as the hack happens completely away from the protected environment.
Nonetheless, the use of a thoroughly-engineered security software heavily reduces the chances of being hacked. Such zero-click vulnerabilities are rare occurrences, so pessimism aside – EDR/XDR will be effective against the majority of exploitation attempts. For the additional awareness and more rapid response, SOAR and SIEM systems will serve a great addition to the pack.