Hackers Exploiting GitLab Unauthenticated RCE Flaw (2nd November 2021)

Ref# AL2021_39 | Date: Nov 3rd 2021

A now-patched critical remote code execution (RCE) vulnerability in GitLab”s web interface has been detected as actively exploited. The vulnerability which was first discovered in April 2021was first described as an authenticated remote code execution (RCE) vulnerability but has since elevated to an unauthenticated vulnerability.

Summary

The GitLab vulnerability being tracked as CVE-2021-22205 was the result of passing user-provided images to the services embedded version of ExifTool. A remote attacker could execute arbitrary commands as the git user due to ExifTools mishandling of DjVu files.

How it works

The confusion around the privilege required to exploit this vulnerability is strange. Unauthenticated and remote users have been and still are able to reach execution of ExifTool via GitLab. Specifically HandleFileUploads in uploads.go is called from a couple of PreAuthorizeHandler contexts allowing the HandleFileUploads logic, which calls down to rewrite.go and exif.go, to execute before authentication.

The fall-out of this design decision is interesting in that an attacker needs none of the following:

  • Authentication
  • A CSRF token
  • A valid HTTP endpoint

As such, the curl command curl -v -F “file=@echo_vakzz.jpg” http://10.0.0.8/$(openssl rand -hex 8) is sufficient to reach, and exploit ExifTool.

Remediation

The Vulnerability was patched in versions 13.10.3, 13.9.6 & 13.8.8. GitLab users should upgrade to the latest version of GitLab as soon as possible. Ideally, GitLab should not be an internet facing service. If you need to access your GitLab from the internet, consider placing it behind a VPN.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Hackers Exploiting GitLab Unauthenticated RCE Flaw.pdf
Reference

Lakshmanan, Ravie. (2nd November 2021). Hackers Exploiting GitLab Unauthenticated RCE Flaw. Retrieved from The Hacker News:
https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html

Baines, Jake. (1st November 2021). GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild. Retrieved from Rapid7:
https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-rem ote-code-execution-cve-2021-22205-exploited-in-the-wild/