GitLab has released an update to address a maximum-severity Security Assertion Markup Language (SAML) vulnerability in self-managed deployments of both the community and enterprise editions of the popular continuous integration / continuous delivery (CI/CD) platform.
The flaw, designated CVE-2024-45409, is due to insufficient validation of SAML assertions, used to identify users across different systems. SAML is a widely used Single Sign On (SSO) authentication protocol that allows users to sign in once, using one set of credentials, and access multiple applications.
To exploit the flaw, the threat actor needs only to send a specially crafted SAML response that fools GitLab into thinking the request came from an authenticated user, which bypasses the normal SAML authentication process. As a result, the threat actor can gain access to the GitLab instance.
GitLab stated that it wasn’t aware of any active exploitation of CVE-2024-45409 but did provide a list of signs of attempted or successful exploitation in its advisory. The company strongly suggests that users update as soon as possible. For those who can’t, enable two-factor authentication (2FA) for all accounts and set the SAML 2FA bypass option to "do not allow."
Source: Bleeping Computer
Analysis
It’s interesting that GitLab provided a list of attempted/successful compromise indicators yet also stated that it was unaware of any active exploitation of the vulnerability. Usually, these lists are derived from exploitation attempts in the wild, but it’s also possible that GitLab conducted its own testing of CVE-2024-45409 which led to the list's creation.
September is turning out to be a busy month for GitLab’s vulnerability researchers, as earlier this week patches for 17 vulnerabilities were released, including a highly critical flaw that could allow threat actors to arbitrarily execute pipeline jobs.
CI/CD solutions like GitLab are popular targets for threat actors looking to obtain and/or manipulate source code to identify vulnerabilities and conduct supply chain attacks.
For example, in March 2024, a critical severity authentication bypass vulnerability in the on-premise version of JetBrains’s TeamCity CI/CD solution was leveraged by various threat actors to create administrator accounts on unpatched TeamCity instances exposed to the internet, providing full control over all the projects, builds, agents, and artifacts contained on the server.
While GitLab isn’t yet aware of any active exploitation of CVE-2024-45409, its high severity rating indicates that it is likely trivial to exploit, and that poses a significant threat to software development teams using GitLab for CI/CD. Thus, it's likely only a matter of time before threat actors begin targeting unpatched deployments of GitLab, making it vital that administrators patch as soon as possible.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in platforms like GitLab. Field Effect MDR users are automatically notified if a vulnerable GitLab version is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected self-managed GitLab deployments update to the latest version as soon as possible, in accordance with the advisory.
Related Articles
