GitLab patches RCE bug in GitHub import function

by | Oct 14, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

A vulnerability in GitLab allowed attackers to stage various attacks against GitLab servers, including the cloud-hosted GitLab.com platform.

 

The bug, reported by security researcher ‘yvvdwf’, was caused by the way GitLab imports data from GitHub, which could be exploited to run commands on the host server.

 

Unsafe imports

 

GitLab uses Octokit, a library that provides an interface to import data from the GitHub API. To retrieve and present its results, Octokit uses the HTTP client library Sawyer.

However, GitLab directly used the Sawyer results returned by Octokit without sanitizing them, which provided opportunities to insert malicious commands.

Yvvdwf found that one of the parameters used in the import function was prone to command injections against GitLab’s Redis database.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

RCE, information theft, and more

 

On standalone GitLab installations, an attacker could exploit the command injection bug to escalate from Redis to Bash and send commands to the operating system. Any potential attacker would have remote code execution (RCE) access to the host with the privileges of the host process.

While the RCE exploit did not work on GitLab.com, yvvdwf was able to use other Redis commands to replicate data from GitLab.com to a standalone server with a public IP. They were also able to poison GitLab projects through the same mechanism and make them inaccessible.

An attacker with a standalone GitLab installation and an API access token could use the exploit to steal information, inject malicious code, and perform other malicious actions against GitLab.com.

Protecting GitLab servers

 

The vulnerability was assigned CVE-2022-2884 with a critical base score of 9.9 in the Common Vulnerability Scoring System.

GitLab has already patched the issue in GitLab.com and published a critical security release for GitLab Community Edition and Enterprise Edition.

All users are advised to upgrade their GitLab installation. For organizations that can’t upgrade right away, GitLab advises them to secure their installation by disabling imports until they can patch their system.

While GitLab users will be safe by using the cloud or updated self-hosted version of the platform, other services that use Octakit to interact with GitHub should be wary and make sure that they perform the right checks around the data they pass on and receive through the library.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: portswigger.net

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This