Hackers Exploiting GitLab Unauthenticated RCE Flaw (17th November 2021)

Ref# AL2021_44 | Date: Nov 17th 2021

A now-patched critical remote code execution (RCE) vulnerability in GitLab”s web interface has been detected as actively exploited. The vulnerability which was first discovered in April 2021was first described as an authenticated remote code execution (RCE) vulnerability but has since elevated to an unauthenticated vulnerability.

Summary

The GitLab vulnerability being tracked as CVE-2021-22205 was the result of passing user-provided images to the services embedded version of ExifTool. A remote attacker could execute arbitrary commands as
the git user due to ExifTools mishandling of DjVu files.

How it works

The confusion around the privilege required to exploit this vulnerability is strange. Unauthenticated and remote users have been and still are able to reach execution of ExifTool via GitLab. Specifically HandleFileUploads in uploads.go is called from a couple of PreAuthorizeHandler contexts allowing the HandleFileUploads logic, which calls down to rewrite.go and exif.go, to execute before authentication.

The fall-out of this design decision is interesting in that an attacker needs none of the following:

  • Authentication
  • A CSRF token

  • A valid HTTP endpoint

    As such, the curl command curl -v -F “file=@echo_vakzz.jpg” http://10.0.0.8/$(openssl rand -hex 8) is sufficient to reach, and exploit ExifTool.

    Remediation

    The Vulnerability was patched in versions 13.10.3, 13.9.6 & 13.8.8. GitLab users should upgrade to the latest version of GitLab as soon as possible. Ideally, GitLab should not be an internet facing service. If you need to access your GitLab from the internet, consider placing it behind a VPN.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Hackers Exploiting GitLab Unauthenticated RCE Flaw.pdf

Reference