Critical SAML login vulnerability with maximum score jeopardizes Gitlab server
Under certain conditions, attackers can gain access to the DevSecOps platform Gitlab.
(Image: Sashkin/Shutterstock.com)
Admins of self-hosted Gitlab instances should update their servers quickly. Due to a"critical" security vulnerability, access may be possible without logging in.
The security vulnerability
In a warning message, the developers state that Gitlab cloud instances are already secured. The vulnerability (CVE-2024-45409) is classified with the highest possible CVSS score of 10 out of 10. However, it only threatens systems where SAML authentication is active.
If this is the case, attackers can bypass the login and access instances. The problem is that the Ruby SAML library in certain versions does not properly verify signatures of SAML responses. At this point, attackers with access to a signed SAML document can forge responses.
Protective measures
Due to the critical classification, it can be assumed that systems will subsequently be considered fully compromised. Accordingly, the Gitlab developers recommend an immediate update. If admins are unable to install the available secure versions immediately, they should protect instances from attacks using a temporary solution.
To do this, they must activate Gitlab's two-factor authentication for all user accounts and the "SAML two-factor bypass" option must not be active. The developers state that the following issues are protected against the described attack:
- 16.11.10
- 17.0.8
- 17.1.8
- 17.2.7
- 17.3.3
Admins can check whether systems have already been attacked in log files such as application_json and auth_json. Admins can find further information in the warning message. Gitlab also offers detection rules in sigma format.
Just last week, the Gitlab developers released many security patches.
(des)
