CVE-2024-2874: GitLab Runner Registration Bug Allowing for Disrupted Loading of Targeted Web Resources

A newly discovered vulnerability (CVE-2024-2874) has been reported in GitLab Community Edition (CE) and Enterprise Edition (EE), impacting all versions before 16.10.6, version 16.11 before 16.11.3, and version 17. before 17..1. The issue arises when a runner is registered with a specifically crafted description, potentially disrupting the loading of targeted GitLab web resources. This post will delve into the details of the bug, including code snippets and repository links to help developers understand the exploit and how to mitigate its effects.

Vulnerability Details

The vulnerability lies in the way GitLab handles runner registration. In particular, if a runner is registered with a maliciously crafted description, it can cause the targeted GitLab web resources to fail to load properly or become disrupted. This could result in a denial of service (DoS) attack, affecting the availability of the GitLab instance and potentially causing disruptions to important workflows, security implications, and user experience.

Code Snippet

To demonstrate the issue, consider the following code snippet that illustrates how a runner can be registered with a crafted description:

from gitlab import Gitlab

gitlab_instance = Gitlab('https://gitlab.example.com';, private_token='YOUR_PRIVATE_TOKEN')

runner = gitlab_instance.runners.create({
    'description': 'My malicious Runner',         # Crafted runner description
    'tag_list': 'my, malicious, runner, tags',    # Tags for classification
    'run_untagged': True,                         # Allows the runner to run untagged jobs
    'locked': False,                              # Does not lock the runner to a specific project
    'access_level': 'not_protected',              # Access level set to non-protected
    'maximum_timeout': 360                       # Sets the runner's maximum timeout value
})

You can find the original GitLab issues related to this vulnerability in the following links

- Discovered by FirstName LastName [link to profile] in GitLab Issue #xxxx (Replace FirstName LastName and link to profile)
- The GitLab advisory for this vulnerability is available here
- GitLab's official patch for the issue can be found in their repository (Replace with the corresponding commit link)

How to Exploit & Mitigate

The exploit depends on registering a runner with a specific malicious description that will trigger the bug when the runner is used or its information gets loaded. Developers should take the following steps to mitigate the effects of this vulnerability:

1. Upgrade to the latest GitLab version (16.10.6, 16.11.3, or 17..1) – This update includes GitLab's official patch for the issue.
2. Regularly review and audit the list of the registered runners in your GitLab instance, and remove any suspicious runners with crafted descriptions.
3. Implement monitoring solutions that can identify potential denial of service attacks or disruptions caused by the vulnerability.
4. Limit the ability to register new runners by restricting the access to GitLab API keys or authentication tokens.

By following these precautionary measures, you can reduce the risk of the CVE-2024-2874 vulnerability affecting your GitLab instance. Stay vigilant and keep your instances up-to-date to ensure the security and reliability of your software development processes.

Timeline

Published on: 05/23/2024 07:15:08 UTC
Last modified on: 05/24/2024 01:15:30 UTC