CVE-2024-9633 - GitLab CE/EE Domain Confusion Vulnerability, Exploit Details & Remediation

An important security issue identified as CVE-2024-9633 has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This security vulnerability affects all GitLab versions starting from 16.3 up to (but not including) 17.3.7, from 17.4 up to (but not including) 17.4.4, and from 17.5 up to (but not including) 17.5.2. The flaw allows an attacker to create a group with a name that matches an existing unique Pages domain, potentially leading to domain confusion attacks. In this post, we will delve into the details of this exploit, provide references to the original sources, and offer guidance on how to fix the issue.

CVE-2024-9633: Exploit Details

A domain confusion attack takes place when a malicious actor creates a group with a name that closely resembles an existing unique Pages domain, with the goal of tricking users into navigating to the attacker's domain instead of the legitimate one. For instance, an attacker might choose a group name that appends a couple of random characters to an authentic Pages domain. Unsuspecting users who mistakenly visit the attacker's domain could then be exposed to phishing attacks or malware downloads without their knowledge.

The vulnerability in GitLab CE/EE originates from a weak validation process when assigning new group names. This lack of proper validation allows an attacker to create a group with a name that is indistinguishable from another existing unique Pages domain.

Here is a code snippet that demonstrates the issue in GitLab

def create_group(request):
    group_name = request.POST['group_name']
    if Group.objects.filter(name=group_name).exists():
        raise ValidationError("Group name already exists!")
    else:
        Group.objects.create(name=group_name)

In the code, the validation process checks if there is already a Group object in the database with the specified group name. However, the check does not account for existing group names that closely resemble other established unique Pages domains.

Original References

1. The Official CVE-2024-9633 Advisory - <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9633>
2. The Official GitLab Security Release - <https://about.gitlab.com/releases/2024/08/23/security-release-gitlab-25--14/>
3. GitLab Security Advisory - <https://about.gitlab.com/security-advisories/>
4. GitLab Pages Documentation - <https://docs.gitlab.com/ee/user/project/pages/>

Remediation

To remediate this vulnerability, it is highly recommended to update GitLab CE/EE installation to the latest version:

1. Update to GitLab CE/EE 17.3.7 if you are using a version between 16.3 and 17.3.6.
2. Update to GitLab CE/EE 17.4.4 if you are using a version between 17.4 and 17.4.3.
3. Update to GitLab CE/EE 17.5.2 if you are using a version between 17.5 and 17.5.1.

Instructions for upgrading GitLab installations can be found in the official GitLab documentation: <https://docs.gitlab.com/ee/update/>

In addition to the software update, it is vital to educate users about the potential risks of domain confusion attacks and advise them to be cautious when opening links, especially those that appear to be part of a GitLab Pages domain.

Conclusion

Domain confusion attacks can have severe consequences for both organizations and users. By exploiting this vulnerability (CVE-2024-9633) in GitLab CE/EE, an attacker can create groups with group names that appear nearly identical to existing unique Pages domain names, potentially exposing users to phishing attacks and malware downloads. To protect against this exploit, it is crucial to update GitLab CE/EE installations to the fixed versions and educate users about the potential risks of domain confusion attacks.

Timeline

Published on: 11/14/2024 14:15:19 UTC
Last modified on: 11/15/2024 13:58:08 UTC