10 points GitLab unauthorized RCE vulnerability exploited in the wild

Researchers found CVE-2021-22205 10-point RCE vulnerability exploited in the wild.

In April 2021, GitLab issued a security advisory to fix a remote code execution vulnerability in its service web interface – CVE-2021-22205. Gitlab describes the vulnerability as a non-authentication vulnerability caused by passing a user-provided image to the ExifTool tool embedded in the service. A remote attacker can use this vulnerability to execute arbitrary commands as a Git user.

The CVE-2021-22205 vulnerability has a CVSS score of 9.9. On September 21, GitLab revised the vulnerability’s CVSS score from 9.9 to 10. The reason for the increased score is that the vulnerability changed from an authenticated vulnerability to a non-authenticated vulnerability.

  10 points GitLab unauthorized RCE vulnerability exploited in the wild

Use in the wild

In a real-world attack report released by the HN security team in October, the attackers registered two users with administrator privileges with two seemingly random usernames in the two months from June to July:

However, the email address specified during the registration process is not verified by default, so newly created users can log in automatically. No other notifications are sent to administrators during this process.

The researchers then discovered that the attacker logged into the Gitlab server with 2 newly created users and performed the following actions:

?User registration and login;

  10 points GitLab unauthorized RCE vulnerability exploited in the wild

?Abusing the Gitlab API to list all projects, including private projects;

  10 points GitLab unauthorized RCE vulnerability exploited in the wild

? Upload attachments to the project.

  10 points GitLab unauthorized RCE vulnerability exploited in the wild

The uploaded attachment is actually a malicious payload. The payload used in the wild exploit can execute a reverse shell, escalating the privileges of the first two newly registered users to admin. In addition, other payloads can be used to achieve remote code execution. Because there are only 2 requests for the entire exploit process: no need to abuse the API to find a valid project in the default gitlab installation, no need to open and authenticate:

  10 points GitLab unauthorized RCE vulnerability exploited in the wild

Request to get CSRF token

  10 points GitLab unauthorized RCE vulnerability exploited in the wild

Execute unauthenticated malicious payload upload requests

Vulnerability Impact

The CVE-2021-22205 vulnerability affects all gitlab enterprise and gitlab community editions since 11.9.

patch

Vulnerabilities have been fixed in the following versions:

13.10.3

13.9.6

13.8.8

The Links:   P760A06 LQ057Q3DC11

Related Posts