GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass.
The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week.
The problem as a result of the library not properly verifying the signature of the SAML Response. SAML, short for Security Assertion Markup Language, is a protocol that enables single sign-on (SSO) and exchange of authentication and authorization data across multiple apps and websites.
“An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents, according to a security advisory. “This would allow the attacker to log in as arbitrary user within the vulnerable system.”
It’s worth noting the flaw also impacts omniauth-saml, which shipped an update of its own (version 2.2.1) to upgrade ruby-saml to version 1.17.
The latest patch from GitLab is designed to update the dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0. This includes versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.
As mitigations, GitLab is urging users of self-managed installations to enable two-factor authentication (2FA) for all accounts and disallow the SAML two-factor bypass option.
GitLab makes no mention of the flaw being exploited in the wild, but it has provided indicators of attempted or successful exploitation, suggesting that threat actors may be actively trying to capitalize on the shortcomings to gain access to susceptible GitLab instances.
“Successful exploitation attempts will trigger SAML related log events,” it said. “A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation.”
“Unsuccessful exploitation attempts may generate a ValidationError from the RubySaml library. This could be for a variety of reasons related to the complexity of crafting a working exploit.”
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, including a recently disclosed critical bug impacting Apache HugeGraph-Server (CVE-2024-27348, CVSS score: 9.8), based on evidence of active exploitation.
Federal Civilian Executive Branch (FCEB) agencies have been recommended to remediate the identified vulnerabilities by October 9, 2024, to protect their networks against active threats.