Critical GitLab Bug Under Exploit Enables Account Takeover, CISA Warns

A critical security vulnerability in GitLab is under active attack, according to CISA. It allows bad actors to send password reset emails for any account to an email address of their choice, thus paving the way for account takeover.

"This will allow attackers to reset the password just as if they were a user that had legitimately forgotten theirs," says Erich Kron, security awareness advocate at KnowBe4. "From there, the account would belong to the bad actors."

Further, Kron warned that if adversaries choose to change the legitimate associated email address for a GitLab account they've infiltrated, they could then keep the rightful account owner from being able to log in or use the password recovery function to change it back.

CISA added the vulnerability, CVE-2023-7028, to its Known Exploited Vulnerabilities (KEV) catalog as a "GitLab Community and Enterprise Editions Improper Access Control Vulnerability." The agency noted that the bug is maximum severity with a 10 out of 10 CVSS vulnerability-severity score, and is requiring Federal Civilian Executive Branch (FCEB) agencies to remediate FCEB networks against the active threat.

Sajeeb Lohani, senior director of cybersecurity at Bugcrowd, said there are publicly available exploits for the bug as well, so defenders shouldn't sit on this one.

"Since the exploit itself is quite simple to pull off, the bar of entry for the exploit is low, implying less skilled hackers will also be able to exploit this issue," he says. "In simple terms, this is an issue you want to patch promptly."

CVE-2023-7028: Risk of Proprietary Data, Code Theft

David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure, explains that the stakes are high for organizations because GitLab stores source code and proprietary data.

"There's always the risk of an attacker injecting malicious code into the supply chain as well, but that requires the changes not being flagged elsewhere," he explains. "While data exfiltration typically won't run up against other checks, the point of a source control platform is that you can easily transfer code in and out of it to local machines."

He recommended that organizations that manage their own GitLab deployments should ensure they have a plan to upgrade to a patched version if they haven't already done so.

"If that can't be done immediately, then mitigations should be employed," he says. "You need to ensure that you have regular password rotation or use a separate identity provider for authentication."

Larger organizations may want to also consider tools that can identify anomalous activity based on user actions, which could flag compromised accounts for quarantine.

MFA, Zero Trust Are Effective Counters

Defending against these types of attacks goes back to security basics. For instance, Kron suggests that one of the most effective ways to counter attacks such as unauthorized password changes is the use of multifactor authentication (MFA), which attackers keep trying to circumvent.

He added that while MFA is not unhackable, it can add enough complexity to the account takeover process that the bad actors may fail.

"Even if they could reset your password, they will not be able to log in without the second factor," he says. "This could prevent them from changing the recovery email address, making them unable to lock the rightful account owner out."

Patrick Tiquet, vice president of security and architecture at Keeper Security, meanwhile notes the most effective method to prevent account-based cyberattacks is to invest in a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor's access.

He also says a privileged access management (PAM) solution is imperative for IT administrators and security personnel to manage and secure privileged credentials and ensure least-privilege access.

"Additionally, each organization's patch management strategy needs to have a fast track for critical vulnerabilities with high possible severities — like this one — to ensure they can immediately take action," Tiquet says.