Get in Touch
Indiscriminate, opportunistic targeting.
A security update has been released for GitLab following the discovery of a critical vulnerability CVE-2023-4998 which allows attackers to run pipeline commands as other users. The vulnerability, which has been designated a CVSSv3 score of 9.6, is exploited by bypassing the protections of a medium severity vulnerability, CVE-2023-3932, which was patched in August. GitLab has released a statement addressing the criticality of this issue, strongly urging users to update their software as soon as possible.
Successful exploitation of this vulnerability allows an attacker to execute pipeline commands while impersonating another user. This creates the high probability of enabling the attacker to access and manipulate sensitive information or execute malicious code. Depending on the permissions of the impersonated user, this is likely to result in major data loss, as well as a gateway for various other attack scenarios depending on the intentions of the threat actor, leading to financial and reputational damage.
GitLab has patched the vulnerability for the respective product versions. As such, previous versions are vulnerable to the potential exploits.
GitLab EE, GitLab CE.
Containment, Mitigations & Remediations
The latest updates of GitLab 16.2.7 and 16.3.4 address this vulnerability. Any version of GitLab 16.2 or 16.3 should be upgraded as soon as possible to address the security issue. Versions prior to 16.2 have not received a patch for this vulnerability, however, a mitigation for older versions can be achieved by not having both “Direct transfers” and “Security policies” enabled at the same time, as the software is only vulnerable with both of these options turned on at the same time. Despite this, best practice is to upgrade the software to the current and fully supported version.
Indicators of Compromise
At this time, no specific Indicators of Compromise (IoCs) have been published. However, suspicious pipeline activity in a network containing this vulnerability could indicate compromise relating to this issue.
GitLab is an industry leading DevOps software platform used by over 100,000 companies. Due to its ubiquity, and its nature as a DevOps platform, GitLab has become an increasingly enticing source of exploitation for threat actors aiming to compromise an organisation’s domain.
No attribution to specific threat actors or groups has been identified at the time of writing. This vulnerability was discovered by threat hunter Johan Carlsson and malicious exploitation of this vulnerability has not yet been observed from any threat group.
TA0002 – Execution