CVE-2023-0632: GitLab Vulnerability Allows Regular Expression Denial of Service Attacks on Harbor Registry

A critical security issue has been discovered in GitLab, affecting users across multiple versions of the software. This issue, assigned the identifier CVE-2023-0632, targets a vulnerability that enables attackers to crash the GitLab instance using a Regular Expression Denial of Service (ReDoS) attack. By successfully exploiting this weakness, bad actors can potentially cause massive disruption to GitLab deployments, as well as delay critical updates, feature releases, and project maintenance.

Affected GitLab Versions

This issue is known to affect GitLab versions ranging from 15.2 to 16..7, 16.1, and 16.2. If you are using any of these affected versions, it is highly recommended to update your GitLab instance to the latest available version for your release to protect against this vulnerability.

Vulnerability Details

The vulnerability exists in the implementation of the Harbor Registry search functionality of GitLab. Harbor Registry is a cloud service for managing and serving container images, often used in conjunction with GitLab. The vulnerability is triggered when a crafted payload with a particular regular expression is sent to the search functionality, causing a ReDoS to occur.

Here is a simple example of a crafted payload that might be used in an exploit targeting this vulnerability:

payload = 'username=(?:(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[-9])(?=.*?[\-_+!])){8,}'

In this payload, the attacker exploits poorly designed regex by providing a complex pattern that requires extensive backtracking, thus causing performance degradation or even crashing the target.

The attacker sends the payload to the GitLab instance as part of a Harbor Registry search request.

3. The vulnerable GitLab instance is unable to process the malicious regex pattern efficiently, leading to a drop in performance or even a crash.
4. Until the issue is resolved, the attacker may continue sending payloads to exploit the vulnerability.

GitLab 16.2.2 and later (for the 16.2.x series)

To protect your GitLab instance from this ReDoS vulnerability, update your installation to the latest available version for your release, as mentioned above. You can find detailed instructions on updating GitLab in the official documentation:

- Updating GitLab

Regularly review your regex implementation to ensure they are designed securely and efficiently.

- Implement rate limiting and other security measures to minimize the risk of unauthorized access and exploitation.

Conclusion

CVE-2023-0632 represents a significant security threat for GitLab users, making it crucial for concerned parties to respond quickly. Ensure that your GitLab instance is immune from this vulnerability by updating your software to one of the patched versions and following the recommended mitigation steps. By doing so, you can safeguard your GitLab instance and maintain the highest level of security for your development infrastructure.

References

1. CVE-2023-0632 in GitLab Security Advisory
2. GitLab Update Documentation
3. Harbor Registry Homepage

Timeline

Published on: 08/02/2023 00:15:00 UTC
Last modified on: 08/04/2023 19:02:00 UTC