A critical vulnerability in GitLab has caught the attention of federal officials as it’s now being actively exploited by hackers. This vulnerability allows attackers to take over GitLab accounts without any interaction from the user. Despite a patch being released back in January, thousands of users have yet to install it.
The issue stems from a change implemented by GitLab in May 2023, which allowed users to initiate password changes through links sent to secondary email addresses. While this was intended to help users reset passwords when they couldn’t access their primary email, it inadvertently opened the door for attackers. By sending reset emails to accounts they controlled, attackers could click on the embedded link and gain control of the account.
What’s particularly concerning is that these exploits don’t require any interaction from the user. However, they only work against accounts that don’t use multifactor authentication (MFA). Even with MFA enabled, accounts were still vulnerable to password resets, although the attackers wouldn’t be able to access the account itself.
Given the severity of the vulnerability, classified as CVE-2023-7028 and rated 10 out of 10, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning. They’ve noted evidence of active exploitation and urged federal agencies to patch their systems immediately.
The potential impact of this vulnerability is significant. GitLab software often has access to multiple development environments, so attackers could sabotage projects or introduce backdoors without detection. This type of supply chain attack can have far-reaching consequences, infecting thousands of downstream users.
Internet scans conducted by security organization Shadowserver revealed over 2,100 IP addresses hosting vulnerable GitLab instances. While this number has decreased since the patch was issued, there’s still a significant risk for those who haven’t updated their systems.
CISA has emphasized the importance of patching and has recommended enabling MFA for added security. However, it’s essential to remember that patching won’t undo any damage caused by previous exploits. GitLab has provided incident response guidance to help users navigate this situation.
