CVE-2024-9596: Unauthenticated GitLab Version Enumeration Vulnerability

A recently discovered critical vulnerability (CVE-2024-9596) has been reported in GitLab EE. All instances of the GitLab version starting from 16.6 prior to 17.2.9, 17.3 prior to 17.3.5, and 17.4 prior to 17.4.2 are affected by this vulnerability. This issue allows an unauthenticated attacker to determine the GitLab version number for a given GitLab instance without needing any authentication credentials. By obtaining the version number, it opens up potential targeted attacks on systems with known vulnerabilities for that specific version.

Exploit Details

The vulnerability lies in the information leakage, specifically the instance version, in GitLab's HTTP response headers. By sending a specifically crafted HTTP request to the target GitLab instance, an attacker can analyze the server's response and extract the GitLab version number.

Here's a sample HTTP request an attacker could send

GET / HTTP/1.1
Host: gitlab.example.com
User-Agent: GitLabVersionEnumerator/1.

By analyzing the response headers, an attacker can determine the GitLab version number. In this example, the identified version is "GitLab Community Edition 16.6":

HTTP/1.1 200 OK
Date: Tue, 23 Feb 2024 15:25:24 GMT
Server: Apache/2.4.39 (Unix)
X-GitLab-Version: GitLab Community Edition 16.6
...

The X-GitLab-Version header reveals the GitLab version number in use by the particular GitLab instance, which allows the attacker to potentially identify and exploit known vulnerabilities associated with that version.

Original References

1. GitLab Advisory: Unauthenticated Enumeration of GitLab Versions
2. CVE-2024-9596 Details

GitLab EE 17.2.9, 17.3.5, and 17.4.2

It is highly recommended for affected versions to be updated immediately to the latest available patched version to avoid any potential exploitation of this vulnerability. To update your GitLab instance, follow the instructions in the GitLab upgrade documentation:

1. Upgrading GitLab

Additionally, as a temporary workaround, operators can configure their web server (e.g., Apache or Nginx) to strip out the X-GitLab-Version header from outgoing responses. This will prevent potential attackers from determining the GitLab version number until a proper patch can be applied.

Here's an example of how to remove the X-GitLab-Version header using Nginx

server {
    ...
    location / {
        proxy_pass http://gitlab;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-GitLab-Version "";
    }
}

And here's an example of how to remove the X-GitLab-Version header using Apache

Header unset X-GitLab-Version

Keep in mind that these workarounds should only serve as a temporary measure until the affected GitLab instance is upgraded to a version that has patched CVE-2024-9596.

Conclusion

This critical vulnerability (CVE-2024-9596) allows unauthenticated attackers to determine the GitLab version number for a specific GitLab instance. By obtaining the version number, attackers can potentially carry out targeted attacks on systems with known vulnerabilities for that specific version. It's essential to apply the recommended patches or, as a temporary measure, configure your web server to remove the X-GitLab-Version header to protect against this vulnerability.

Timeline

Published on: 10/10/2024 10:15:08 UTC
Last modified on: 10/10/2024 12:51:56 UTC