Critical GitLab Bug Under Exploit Enables Account Takeover, CISA Warns

A critical security vulnerability in GitLab is currently being actively exploited according to CISA. This vulnerability allows an attacker to send reset password requests for any account to the bad actor’s chosen email address to facilitate account takeover. Legitimate account users would be unable to log in or recover their password if the attacker changed the email associated with the GitLab account. CISA adds the vulnerability to its Known Exploited Vulnerabilities catalog as CVE-2023-7028 with a CVSS 3.0 score of 7.5 by the NVD and a CVSS score of 10.0 from the CNA GitLab. CVE-2023-7028 is an issue discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. Sajeeb Lohani, senior director of cybersecurity at Bugcrowd, notes that there are publicly available exploits for the bug and urges defenders to remediate the issue quickly. CISA is requiring Federal Civilian Executive Branch (FCEB) agencies to remediate FCEB networks against the active threat.

Security Officer Comments:
This is a vulnerability that should be quickly remediated because of its simplistic method of exploitation which allows hackers of almost any skill level to engage in malicious account takeover. Combining the rudimentary nature of the exploit with the supply of sensitive source code and proprietary data stored by organizations on the GitHub platform forms a potentially lucrative target for bad actors.

Suggested Corrections:
David Brumley, Cybersecurity Professor at Carnegie Mellon, recommends that organizations that manage their own GitLab deployments should ensure they have a plan to upgrade to a patched version that fixes this vulnerability if they haven't already done so. Suggested Correctionss should be employed if upgrading the software version cannot be done immediately.

Larger organizations may want to consider tools that can identify abnormal activity based on user actions, which could flag compromised accounts for quarantine. Erich Kron, a security awareness advocate at KnowBe4, suggests using multifactor authentication (MFA), adding that though not uncompromisable, MFA adds enough complexity that the attackers might fail to lock the rightful user out of their account.

Patrick Tiquet, Vice President of Security and Architecture at Keeper Security, notes that investing in a zero-trust and zero-knowledge cybersecurity architecture and creating an effective privileged access management (PAM) solution will ensure users maintain their proper access. Each organization's patch management strategy needs to have a fast track for critical vulnerabilities with high possible severities.