Hackers are busy exploiting GitLab unauthenticated RCE flaw in the wild. Cybersecurity researchers warn about the nonpatched RCE flaw exploited in the wild rendering a large number of internet-facing GitLab instances susceptible to attacks.
The vulnerability is tracked as CVE-2021-22205, related to an improper validation of user-provided images that results in arbitrary code execution and affects versions starting from 11.9. GitLab has addressed the vulnerability on April 14, 2021, in versions 13.8.8, 13.9.6, and 13.10.3.
According to HN Security, last month two user accounts with admin privileges were registered on a publicly accessible GitLab server; it belonged to an unnamed customer. The above-mentioned flaw was to upload a malicious payload. Leading to remote execution of arbitrary commands, including obtaining elevated permissions.
Earlier the flaw was assigned a CVSS score of 9.9 as it was considered a case of authenticated RCE. Later it was revised to a CVSS score of 10.0 on September 21, 2021, as it was capable of being triggered by unauthenticated threat actors as well.
Rapid7 in a blog post on Monday said, “Despite the tiny move in CVSS score, a change from authenticated to unauthenticated has big implications for defenders.” The patches have been available for more than six months for the public yet only 21% of the instances are said to fully patch while 50% are still vulnerable to RCE attacks from the 60000 internet-facing GitLab installations so far.
Considering the unauthenticated nature of the vulnerability a rise in the exploitation activity is expected. Hence it is critical for GitLab users to update to the latest version as soon as possible.
The researchers said, “In addition, ideally, GitLab should not be an internet-facing service. If you need to access your GitLab from the internet, consider placing it behind a VPN.”
You can access additional technical details about the vulnerability here.