On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities Catalog to include a new vulnerability, prompted by evidence of active exploitation discovered within the DevOps platform GitLab.
The vulnerability identified as CVE-2023-7028 (CVSS score: 10) enables a threat actor to initiate password reset emails to be dispatched to arbitrary, unverified email addresses, thus facilitating an account takeover without requiring user interaction.
Moreover, successful exploitation of the vulnerability could result in supply chain attacks through the insertion of malicious code into CI/CD (Continuous Integration/Continuous Deployment) environments.
Although individuals with two-factor authentication (2FA) enabled remain susceptible to password reset, they are not vulnerable to account takeover since their second authentication factor is necessary for logging in. Therefore, it is crucial to patch systems where accounts lack this additional security measure.
The CVE-2023-7028 vulnerability found in GitLab Community Edition (CE) and Enterprise Edition (EE) impacts all versions from 16.1 before 16.1.6, 16.2 before 16.2.9, 16.3 before 16.3.7, 16.4 before 16.4.5, 16.5 before 16.5.6, 16.6 before 16.6.4, and 16.7 before 16.7.2.
The issue was resolved in GitLab versions 16.7.2, 16.6.4, and 16.5.6, with patches also being retroactively applied to versions 16.1.6, 16.2.9, and 16.3.7.
GitLab has stated that it did not observe any exploitation of the CVE-2023-7028 vulnerability on platforms under its management, including GitLab.com and GitLab Dedicated instances.
However, the threat monitoring service, The Shadowserver Foundation, discovered more than 5,300 instances of GitLab servers being vulnerable to zero-click account takeover attacks in January, coinciding with the release of security patches. As of Tuesday, this number has decreased by only 55%.
CISA has verified that the CVE-2023-7028 vulnerability is currently under active exploitation in attacks. They have advised U.S. federal agencies to secure their systems by May 22, 2024, or consider discontinuing the use of the product if mitigations cannot be implemented.
Although the U.S. cybersecurity agency has not disclosed specifics about the ongoing attacks, it has confirmed the absence of evidence indicating the vulnerability’s involvement in ransomware campaigns.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA stated on Wednesday.
GitLab users who have not yet patched their systems should examine their logs for any potential attempts to exploit this vulnerability and refer to GitLab’s incident response guide for remediation steps.
0 Comments