GitLab has issued an urgent call to action for organizations using its platform to patch a critical authentication bypass vulnerability.
This security flaw, CVE-2024-45409, affects instances configured with SAML-based authentication. The vulnerability could potentially allow unauthorized access to sensitive data.
To address this, GitLab has released new Community Edition (CE) and Enterprise Edition (EE) versions and urged immediate updates.
Today, GitLab released versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10 for CE and EE. These updates include important bug fixes and security patches to mitigate the risks associated with the identified vulnerability.
GitLab.com has already been updated with these patches, and all GitLab Dedicated instances have been upgraded automatically, requiring no action from customers.
Understanding the Vulnerability: CVE-2024-45409
The critical vulnerability involves an authentication bypass via SAML (Security Assertion Markup Language). Attackers could exploit this flaw to gain unauthorized access to GitLab instances configured with SAML-based authentication.
To mitigate this issue, GitLab has updated dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
These updates address the security gap and prevent potential exploitation of the CVE-2024-45409 vulnerability.
GitLab strongly recommends that all self-managed installations be upgraded to the latest versions immediately to protect against this vulnerability.
The company emphasizes that when no specific deployment type is mentioned (such as omnibus, source code, helm chart), all types are affected.
Self-Managed GitLab: Known Mitigations
For self-managed GitLab installations, specific mitigations can help prevent successful exploitation:
- Enable Two-Factor Authentication (2FA): It is advised that GitLab’s two-factor authentication for all user accounts on self-managed instances be enabled.
- Disable SAML Two-Factor Bypass: Ensure that the SAML two-factor bypass option is not allowed in GitLab settings.
Identifying and Detecting Exploitation Attempts
GitLab provides guidance on identifying and detecting potential exploitation attempts of the Ruby-SAML vulnerability.
Unsuccessful Exploit Attempts
Unsuccessful attempts may generate a ValidationError from the RubySaml library, which can be detected in the application_json log files. Common errors include incorrect callback URLs or certificate signing issues.
Example Log Events:
- Invalid Ticket due to Incorrect Callback URL
{"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}
- Invalid Ticket due to Certificate Signing Issue
"message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"
Successful Exploitation Attempts
Successful exploitation will trigger specific SAML-related log events that differ from legitimate authentication events. An attacker’s unique extern_id could indicate potential exploitation.
Example Exploit Authentication Event:
{"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user [email protected] from login with admin =\u003e false, extern_uid =\u003e exploit-test-user"}
For self-managed customers forwarding logs to an SIEM (Security Information and Event Management), creating detections for Ruby-SAML exploitation attempts is possible using threat detection rules shared by GitLab in Sigma format.
GitLab’s proactive approach to addressing this critical vulnerability underscores its commitment to maintaining high-security standards for its users.
Organizations are urged to act swiftly in updating their systems to ensure continued protection against potential threats posed by CVE-2024-45409.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial