DevSecOps , Identity & Access Management , Next-Generation Technologies & Secure Development
GitLab Hackers Use 'Forgot Your Password' to Hijack Accounts
US CISA Orders Federal Agencies to Apply January PatchThe U.S. federal government's cybersecurity agency warned that hackers are exploiting a vulnerability in DevOps platform GitLab that the open-core company patched in January.
See Also: Checklist: 6 Secrets Security Tips for Cloud-Native Stacks
The Cybersecurity and Infrastructure Security Agency on Wednesday added the vulnerability, tracked as CVE-2023-7028, to its running list of hacker exploits. CISA gave federal agencies three weeks to ensure they've applied a patch and advised all GitLab customers to ensure they're updated to the latest version. In a worst-case scenario, the vulnerability could lead to supply chain attacks with hackers inserting malicious code into hijacked accounts.
At the time of the patch's release, GitLab said it didn't detect any abuse of the vulnerability on platforms it manages. But "no known exploits" at the moment of releasing a patch invariably translates into opportunistic hacking being launched within hours or days. Cybersecurity experts warn that hackers, including nation-state threat actors, have become quick to take up newly disclosed zero-day flaws. Verizon's latest Data Breach Investigations Report, published Wednesday, says that most enterprises seek to install patches 30 to 60 days after they are published - and within 15 days for critical vulnerabilities of the type featured in CISA's Known Exploited Vulnerabilities Catalog.
"Sadly, this does not seem to keep pace with the growing speed of threat actor scanning and exploitation of vulnerabilities," Verizon said (see: Tracking Data Breaches: Targeting of Vulnerabilities Surges).
Internet scanning by The Shadowserver Foundation initially found about 5,500 vulnerable instances of GitLab exposed to the internet, a number that decreased by only 55% as of Tuesday.
The vulnerability, which GitLab says merits the maximum score of 10 on the CVSS scale, allows hackers to use the "forgot your password" function to send a reset link to an attacker-controlled inbox.
One GitLab developer warned users that attackers don't need to know the email of the account they're attempting to hijack. "We can use the private commit email, which follows a predictable pattern, to trigger the reset," the developer wrote on the issue tracker. Accounts that have multifactor authentication enabled are resistant to being broken into, but they'll still need to have their password changed.