Urgent Alert: Over 5,300 GitLab Instances Exposed by Critical Zero-Click Flaw

A critical zero-click vulnerability, CVE-2023-7028 (rated CVSS 10.0) has been discovered by researchers in over 5,300 instances of GitLab accessible from the internet. Although the issue has been rectified in the latest versions of GitLab, not all users have managed to update their software in time.

This vulnerability enables malefactors to capture accounts without any need for user interaction. Hackers dispatch password reset emails to an email address under their control, thereby gaining the ability to change the password and seize the account.

While the vulnerability does not permit bypassing two-factor authentication (2FA), for accounts not secured by this additional safety mechanism, it poses a colossal risk.

The problem affects the following releases of GitLab Community and Enterprise Edition:

• Versions 16.1 up to 16.1.5;
• Versions 16.2 up to 16.2.8;
• Versions 16.3 up to 16.3.6;
• Versions 16.4 up to 16.4.4;
• Versions 16.5 up to 16.5.6;
• Versions 16.6 up to 16.6.4;
• Versions 16.7 up to 16.7.2.

Appropriate fixes were released on January 11th. Two weeks later, the threat monitoring service ShadowServer reports about 5,379 vulnerable GitLab instances accessible from the internet.

Given GitLab’s role as a platform for software development and project planning, as well as the nature of the vulnerability, these servers are under threat of supply chain attacks, exposure of proprietary code, leakage of API keys, and other malicious activities.

According to Shadowserver, the majority of vulnerable servers are located in the United States (964), followed by Germany (730), Russia (721), China (503), France (298), the United Kingdom (122), India (117), and Canada (99).

Those who have yet to install the patches may already be compromised, making it crucial to use GitLab’s incident response guide and check for signs of compromise.

GitLab previously shared the following detection advice for cybersecurity specialists:

• Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
• Check gitlab-rails/audit_json.log for entries with meta.caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Administrators who discover compromised instances should change all credentials, API tokens, certificates, and other secrets, in addition to activating 2FA on all accounts and installing security updates.

After securing the servers, administrators should verify any changes in the development environment, including source code and potentially tampered files.

To date, there have been no confirmed cases of active exploitation of vulnerability CVE-2023-7028, but this should not be seen as a reason to delay taking measures.