Cyber Security News

GitLab Urges Organization to Patch for Authentication Bypass Vulnerability

GitLab has issued an urgent call to action for organizations using its platform to patch a critical authentication bypass vulnerability.

This security flaw, CVE-2024-45409, affects instances configured with SAML-based authentication. The vulnerability could potentially allow unauthorized access to sensitive data.

To address this, GitLab has released new Community Edition (CE) and Enterprise Edition (EE) versions and urged immediate updates.

Today, GitLab released versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10 for CE and EE. These updates include important bug fixes and security patches to mitigate the risks associated with the identified vulnerability.

GitLab.com has already been updated with these patches, and all GitLab Dedicated instances have been upgraded automatically, requiring no action from customers.

Understanding the Vulnerability: CVE-2024-45409

The critical vulnerability involves an authentication bypass via SAML (Security Assertion Markup Language). Attackers could exploit this flaw to gain unauthorized access to GitLab instances configured with SAML-based authentication.

To mitigate this issue, GitLab has updated dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

These updates address the security gap and prevent potential exploitation of the CVE-2024-45409 vulnerability.

GitLab strongly recommends that all self-managed installations be upgraded to the latest versions immediately to protect against this vulnerability.

The company emphasizes that when no specific deployment type is mentioned (such as omnibus, source code, helm chart), all types are affected.

Self-Managed GitLab: Known Mitigations

For self-managed GitLab installations, specific mitigations can help prevent successful exploitation:

  1. Enable Two-Factor Authentication (2FA): It is advised that GitLab’s two-factor authentication for all user accounts on self-managed instances be enabled.
  2. Disable SAML Two-Factor Bypass: Ensure that the SAML two-factor bypass option is not allowed in GitLab settings.

Identifying and Detecting Exploitation Attempts

GitLab provides guidance on identifying and detecting potential exploitation attempts of the Ruby-SAML vulnerability.

Unsuccessful Exploit Attempts

Unsuccessful attempts may generate a ValidationError from the RubySaml library, which can be detected in the application_json log files. Common errors include incorrect callback URLs or certificate signing issues.

Example Log Events:

  • Invalid Ticket due to Incorrect Callback URL
{"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}
  • Invalid Ticket due to Certificate Signing Issue
"message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"

Successful Exploitation Attempts

Successful exploitation will trigger specific SAML-related log events that differ from legitimate authentication events. An attacker’s unique extern_id could indicate potential exploitation.

Example Exploit Authentication Event:

{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}

For self-managed customers forwarding logs to an SIEM (Security Information and Event Management), creating detections for Ruby-SAML exploitation attempts is possible using threat detection rules shared by GitLab in Sigma format.

GitLab’s proactive approach to addressing this critical vulnerability underscores its commitment to maintaining high-security standards for its users.

Organizations are urged to act swiftly in updating their systems to ensure continued protection against potential threats posed by CVE-2024-45409.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

39 seconds ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

2 hours ago

CISA Warns of Actors Exploiting Two Palo Alto Networks Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert and added two…

2 hours ago

Google Unveils New Intelligent, Real-Time Protections for Android Users

Google has once again raised the bar for mobile security by introducing two new AI-powered…

23 hours ago

Chinese National Faces 20 Years of Jail Time for Laundering Millions in Crypto

Daren Li, 41, a dual citizen of China and St. Kitts and Nevis, and a…

23 hours ago

Google to Issue CVEs for Critical Cloud Vulnerabilities

Google Cloud has announced a significant step forward in its commitment to transparency and security…

1 day ago