Article Details
Scrape Timestamp (UTC): 2024-01-24 18:00:49.358
Original Article Text
Click to Toggle View
Over 5,300 GitLab servers exposed to zero-click account takeover attacks. Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month. The critical (CVSS score: 10.0) flaw allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account. Although the flaw does not bypass two-factor authentication (2FA), it is a significant risk for any accounts not protected by this extra security mechanism. The issue impacts GitLab Community and Enterprise Edition versions 16.1 before 16.1.5, 16.2 before 16.2.8, 16.3 before 16.3.6, 16.4 before 16.4.4, 16.5 before 16.5.6, 16.6 before 16.6.4, and 16.7 before 16.7.2. GitLab released fixes in 16.7.2, 16.5.6, and 16.6.4, also backporting patches to 16.1.6, 16.2.9, and 16.3.7, on January 11, 2024. Today, 13 days after the security updates were made available, threat monitoring service ShadowServer reports seeing 5,379 vulnerable GitLab instances exposed online. Based on GitLab's role as a software development and project planning platform and the type and severity of the flaw, these servers are at risk of supply chain attacks, proprietary code disclosure, API key leaks, and other malicious activity. Shadowserver reports that most of the vulnerable servers are in the United States (964), followed by Germany (730), Russia (721), China (503), France (298), the U.K. (122), India (117), and Canada (99). Those who haven't patched yet may have been compromised already, so using GitLab's incident response guide and checking for signs of compromise is critical. GitLab previously shared the following detection tips for defenders: Admins who find instances that have been compromised should rotate all credentials, API tokens, certificates, and any other secrets, in addition to enabling 2FA on all accounts and applying the security update. After securing the servers, admins should check for modifications in their developer environment, including source code and potentially tampered files. As of today, there have been no confirmed cases of active exploitation of CVE-2023-7028, but this shouldn't be interpreted as a reason to postpone taking action.
Daily Brief Summary
Over 5,300 GitLab servers are at risk due to a critical zero-click account takeover flaw (CVE-2023-7028) with a CVSS score of 10.0.
Attackers can reset targeted account passwords and redirect them to their email addresses, potentially bypassing accounts without 2FA.
Vulnerable versions include GitLab Community and Enterprise Editions across multiple release lines, with patches released in multiple versions as of January 11, 2024.
ShadowServer found the majority of the affected servers are in the US, Germany, Russia, China, France, the U.K., India, and Canada.
Unpatched instances are susceptible to supply chain attacks, code disclosures, and leaks of API keys among other threats.
GitLab recommends that admins who discover breaches should rotate all sensitive credentials and enforce 2FA, as well as check for tampering within developer environments.
Despite no reported exploitations of the vulnerability to date, GitLab urges immediate action to mitigate potential compromise.