Saturday, January 25, 2025
HomeCVE/vulnerabilityGitLab Urges Organization to Patch for Authentication Bypass Vulnerability

GitLab Urges Organization to Patch for Authentication Bypass Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

GitLab has issued an urgent call to action for organizations using its platform to patch a critical authentication bypass vulnerability.

This security flaw, CVE-2024-45409, affects instances configured with SAML-based authentication. The vulnerability could potentially allow unauthorized access to sensitive data.

To address this, GitLab has released new Community Edition (CE) and Enterprise Edition (EE) versions and urged immediate updates.

Today, GitLab released versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10 for CE and EE. These updates include important bug fixes and security patches to mitigate the risks associated with the identified vulnerability.

GitLab.com has already been updated with these patches, and all GitLab Dedicated instances have been upgraded automatically, requiring no action from customers.

Understanding the Vulnerability: CVE-2024-45409

The critical vulnerability involves an authentication bypass via SAML (Security Assertion Markup Language). Attackers could exploit this flaw to gain unauthorized access to GitLab instances configured with SAML-based authentication.

To mitigate this issue, GitLab has updated dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

These updates address the security gap and prevent potential exploitation of the CVE-2024-45409 vulnerability.

GitLab strongly recommends that all self-managed installations be upgraded to the latest versions immediately to protect against this vulnerability.

The company emphasizes that when no specific deployment type is mentioned (such as omnibus, source code, helm chart), all types are affected.

Self-Managed GitLab: Known Mitigations

For self-managed GitLab installations, specific mitigations can help prevent successful exploitation:

  1. Enable Two-Factor Authentication (2FA): It is advised that GitLab’s two-factor authentication for all user accounts on self-managed instances be enabled.
  2. Disable SAML Two-Factor Bypass: Ensure that the SAML two-factor bypass option is not allowed in GitLab settings.

Identifying and Detecting Exploitation Attempts

GitLab provides guidance on identifying and detecting potential exploitation attempts of the Ruby-SAML vulnerability.

Unsuccessful Exploit Attempts

Unsuccessful attempts may generate a ValidationError from the RubySaml library, which can be detected in the application_json log files. Common errors include incorrect callback URLs or certificate signing issues.

Example Log Events:

  • Invalid Ticket due to Incorrect Callback URL
{"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}
  • Invalid Ticket due to Certificate Signing Issue
"message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"

Successful Exploitation Attempts

Successful exploitation will trigger specific SAML-related log events that differ from legitimate authentication events. An attacker’s unique extern_id could indicate potential exploitation.

Example Exploit Authentication Event:

{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}

For self-managed customers forwarding logs to an SIEM (Security Information and Event Management), creating detections for Ruby-SAML exploitation attempts is possible using threat detection rules shared by GitLab in Sigma format.

GitLab’s proactive approach to addressing this critical vulnerability underscores its commitment to maintaining high-security standards for its users.

Organizations are urged to act swiftly in updating their systems to ensure continued protection against potential threats posed by CVE-2024-45409.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...