GitLab Warns of Max Severity Authentication Bypass Bug

  /     /     /  
Publicated : 23/11/2024   Category : security


GitLab Warns of Max Severity Authentication Bypass Bug


Company urges organizations using self-hosting GitLab instances to apply updates for CVE-2024-45409 as soon as possible.



Organizations with self-hosted GitLab instances configured for SAML-based authentication might want to update immediately to new versions of the DevOps platform that the company released this week.
The update addresses a maximum severity bug in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows an attacker to bypass authentication checks and log in as an arbitrary user in an affected system. Depending on the level of access, an attacker could then steal leak or modify source code, inject malicious code into production systems, steal secrets and sensitive data, and execute a variety of
other malicious actions
.
The bug, identified as
CVE-2024-45409,
has a severity score of 10.0, which is as critical as it gets on the CVSS rating scale. The bug has garnered the rating because of its high impact and also because exploiting it involves low-attack complexity, no special privileges, and no user interaction.
CVE-2024-45409 affects both GitLab Dedicated, the fully managed cloud-hosted version, and also self-managed instances of GitLab. The company already has updated all instances of GitLab Dedicated and says that customers of the managed version are already protected against the vulnerability. However, those running self-managed GitLab installations
must patch now,
the vendor advised. We strongly recommend that all installations running a version affected by the issues … are upgraded to the latest version as soon as possible.
GitLab has recommended that organizations enable two-factor authentication for all user accounts for self-managed GitLab installations to mitigate against exploits targeting CVE-2024-45409. Enabling identity provider multifactor authentication does not mitigate this vulnerability, GitLab cautioned. The company also recommends that organizations not allow the SAML two-factor bypass option in GitLab. In addition, GitLabs advisory provides detailed guidance on how to hunt for and detect signs of exploit activity tied to the flaw.
CVE-2024-45409 is present in versions 12.2 and older and versions 1.13.0 to 1.16.0 of Ruby SAML, a library which is a part of GitLabs SAML-based authentication feature. Ruby SAML is what allows organizations to authenticate users to GitLab via external identity providers.
The National Vulnerability Databases description of the flaw shows that affected Ruby SAML versions either arent verifying or are incorrectly verifying the cryptographic signature in a SAML response. This allows an attacker with access to any signed SAML document from an identity provider to forge a SAML response. This would allow the attacker to log in as [an] arbitrary user within the vulnerable system, the NVD said.
In its advisory, GitLab said that in order to craft a successful exploit for the flaw, an attacker would need to find a way to craft SAML assertions that are identical to those from an organizations legitimate identity provider. This would involve having the information needed to accurately replicate key fields like username, role, identity, and privileges.
When crafting an exploit, there are many 
SAML assertions
 an attacker would need to craft to perfectly replicate a legitimate login, GitLab said. These include both the key and value fields that you specify at your [identity provider] and may be unknown to unauthorized individuals — especially if you have customized these attributes.
Researchers consider vulnerabilities in DevOps platforms like GitHub to be particularly troublesome because of the opportunities they provide attackers to compromise application development environments in multiple ways.
The ability to bypass authentication checks is a huge threat, as it gives attackers the window of opportunity to easily enter development environments and cause tremendous damage — all without triggering any alerts, says Katie Teitler-Santullo, cybersecurity strategist at OX Security. Presumably, and hopefully, organizations are using strong authentication — MFA least privilege, and zero-trust principles — to ensure that all access is fully authorized.
Jeff Williams, founder and CTO at Contrast Security, stresses the importance of addressing authentication bypass flaws. In this case, a forged SAML assertion can be created to log on as any user and take any actions that a user can do, he says. This might include tampering with pipelines, embedding malicious code in software products, stealing intellectual property, installing malware, or just about any other bad thing you can imagine.
CVE-2024-45409 is the most critical among 18 vulnerabilities that GitHub disclosed this month as part of its regular security updates. GitHub assessed one of the
other 17 vulnerabilities
as critical. The flaw (
CVE-2024-6678
), with a CVSS severity score of 9.9, affects multiple GitLab CE and EE versions. It is one of several in recent months that allows an unauthenticated, remote attacker to
run a pipeline
in the context of any user within a GitLab environment.
The vulnerability is similar to flaws that GitLab disclosed in May,
June,
and July and suggests a pattern of not taking security seriously, Williams says. Critical vulns month after month. Maybe theyre doing better testing? Good. Or maybe they arent being proactive. We need transparency.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GitLab Warns of Max Severity Authentication Bypass Bug