GitLab has issued an urgent call to action for organizations using its platform to patch a critical authentication bypass vulnerability.
This security flaw, CVE-2024-45409, affects instances configured with SAML-based authentication. The vulnerability could potentially allow unauthorized access to sensitive data.
To address this, GitLab has released new Community Edition (CE) and Enterprise Edition (EE) versions and urged immediate updates.
Today, GitLab released versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10 for CE and EE. These updates include important bug fixes and security patches to mitigate the risks associated with the identified vulnerability.
GitLab.com has already been updated with these patches, and all GitLab Dedicated instances have been upgraded automatically, requiring no action from customers.
The critical vulnerability involves an authentication bypass via SAML (Security Assertion Markup Language). Attackers could exploit this flaw to gain unauthorized access to GitLab instances configured with SAML-based authentication.
To mitigate this issue, GitLab has updated dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
These updates address the security gap and prevent potential exploitation of the CVE-2024-45409 vulnerability.
GitLab strongly recommends that all self-managed installations be upgraded to the latest versions immediately to protect against this vulnerability.
The company emphasizes that when no specific deployment type is mentioned (such as omnibus, source code, helm chart), all types are affected.
For self-managed GitLab installations, specific mitigations can help prevent successful exploitation:
GitLab provides guidance on identifying and detecting potential exploitation attempts of the Ruby-SAML vulnerability.
Unsuccessful Exploit Attempts
Unsuccessful attempts may generate a ValidationError from the RubySaml library, which can be detected in the application_json log files. Common errors include incorrect callback URLs or certificate signing issues.
Example Log Events:
{"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}
"message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"
Successful Exploitation Attempts
Successful exploitation will trigger specific SAML-related log events that differ from legitimate authentication events. An attacker’s unique extern_id could indicate potential exploitation.
Example Exploit Authentication Event:
{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}
For self-managed customers forwarding logs to an SIEM (Security Information and Event Management), creating detections for Ruby-SAML exploitation attempts is possible using threat detection rules shared by GitLab in Sigma format.
GitLab’s proactive approach to addressing this critical vulnerability underscores its commitment to maintaining high-security standards for its users.
Organizations are urged to act swiftly in updating their systems to ensure continued protection against potential threats posed by CVE-2024-45409.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial
CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…
A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert and added two…
Google has once again raised the bar for mobile security by introducing two new AI-powered…
Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and a…
Google Cloud has announced a significant step forward in its commitment to transparency and security…