In this everchanging online world, keeping your sensitive data secured is getting increasingly difficult and we’re here to tell you about another vulnerability that’s actively being exploited in the wild.

Another GitLab vulnerability actively exploited in the wild

According to HN Security, two suspicious user accounts with admin rights were found on the Internet-exposed GitLab CE server. Apparently, these two users were registered between June and July 2021, with random-looking usernames. This was possible because this version of GitLab CE allows user registration by default. Furthermore, the email address provided during registration isn’t verified by default. This means that the newly created user is automatically logged on without any further steps. To make matters more complicated, absolutely no notifications are sent to the administrators. One of the uploaded attachments caught the experts’ attention, so they set up their own GitLab server and actually attempted to replicate what they observed in the wild. A recently released exploit for CVE-2021-22205 abuses the upload functionality in order to remotely execute arbitrary OS commands. The above-mentioned vulnerability resides in ExifTool, an open-source tool used to remove metadata from images, which fails in parsing certain metadata embedded in the uploaded image. GitLab is composed of multiple elements, such as Redis and Nginx. The one that handles uploads is called gitlab-workhorse, which in turn calls ExifTool before passing the final attachment to Rails. Digging deeper into the logs a little uncovered evidence of two failed uploads within the Workhorse logs. This payload used by the public exploit can execute a reverse shell, whereas the one used against our customer simply escalated the rights of the two previously registered users to admin. So, basically, what appeared to be a privilege escalation vulnerability actually turned out to be an RCE vulnerability. As security experts explained the whole exploiting process boils down to just two requests. All the vulnerabilities described in the article (ExifTool, API abuse, User registration, etc.) are not present in the latest GitLab CE version at the time of writing. However, we strongly advise caution when dealing with anything that involves you being online so that you don’t have any unfortunate experiences. What’s your take on this situation? Share your opinion with us in the comments section below.

Name * Email * Commenting as . Not you? Save information for future comments
Comment

Δ