A vulnerability has been discovered in Ultimate-licensed GitLab EE (Enterprise Edition) that could potentially allow an attacker to impersonate users in CI (Continuous Integration) pipelines through the direct transfer group imports feature. This vulnerability affects GitLab EE versions 13.12 to 16.2.8, 16.3. to 16.3.5, and 16.4. to 16.4.1.

In this post, we will explain the security vulnerability, its potential impact, and steps to mitigate the issue. We will also provide code snippets, links to original references, and exploit details for a comprehensive understanding of the problem.

Overview of the Vulnerability

The issue (CVE-2023-5106) arises from the direct transfer group imports feature, which enables users to transfer GitLab project repositories, including the history, collaborators, and permissions. The vulnerability allows an attacker to bypass security controls during the import process and maliciously impersonate other users in the CI pipeline, potentially leading to unauthorized access or disclosure of sensitive information.

Code Snippet

In the vulnerable version of GitLab EE, while processing the direct transfer group import, an attacker could potentially exploit the mishandling of an imported user's authorization token. Here's a code snippet showing how an attacker may misuse this feature:

def direct_transfer_group_import(user, group_id):
    src_group = Group.find(group_id)
    dest_group = Group.create()

    dest_group.copy_from(src_group)
    dest_group.add_user(user, role=user.role)

    CI::Pipeline
        .where(user_id: src_group.users.pluck(:id))
        .update_all(user_id: user.id)

    dest_group.save!
end

By analyzing the code snipplet, an attacker could construct a malicious group import request that would trigger the impersonation vulnerability.

Exploit Details

To exploit this vulnerability, an attacker needs to create a malicious request for the direct transfer group import and trigger the CI pipeline's ability to impersonate users. The normal user flow is disrupted, and the attacker can potentially gain access to sensitive information, such as private repositories, user information, or other credentials.

Mitigation Steps

To mitigate the vulnerability, users running affected GitLab EE versions should immediately upgrade their software:

16.4.x version should upgrade to version 16.4.1 or higher

By upgrading to the latest release of GitLab EE, users can take advantage of the recent fixes addressing this issue and other security vulnerabilities.

References

For the original vulnerability disclosure and detailed information about GitLab EE security fixes, please refer to the following links:

- GitLab Security Release: 16.2.8, 16.3.5, and 16.4.1: https://about.gitlab.com/releases/2023/11/06/security-release-gitlab-16-2-8-16-3-5-and-16-4-1/
- CVE-2023-5106 - NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2023-5106

Conclusion

With the recent discovery of CVE-2023-5106, GitLab EE users must remain vigilant, as unpatched versions may expose sensitive information/credentials via direct transfer group imports and potentially allow attackers to impersonate users in CI pipelines. By understanding the vulnerability, its implications, and taking immediate action to upgrade software to one of the recommended versions, users can reduce the risk of potential attacks and ensure the security of their projects on GitLab EE.

Timeline

Published on: 10/02/2023 12:15:00 UTC
Last modified on: 10/04/2023 12:25:00 UTC