A critical remote code execution (RCE) vulnerability in GitLab's web interface, which has been patched in April, has been discovered to be actively exploited in the wild. This could make a large number of internet-facing GitLab instances vulnerable to attacks.
At the time, in April, the vulnerability, identified as CVE-2021-22205, is related to improper validation of user-provided images, which results in arbitrary code execution. GitLab addressed the vulnerability, which affects all versions beginning with 11.9, on April 14, 2021 in versions 13.8.8, 13.9.6, and 13.10.3.
Real-world attacks by HN security
But, in one of the real-world attacks detailed by HN Security last month, 2 user accounts with admin privileges were registered on a publicly-accessible GitLab server belonging to an unnamed customer by exploiting the aforementioned flaw to upload a malicious payload ‘image’, leading to remote execution of commands that granted the rogue accounts elevated permissions.
Exploitation will probably increase
According to Rapid 7, in October there were about 60,000 internet-facing GitLab installations worldwide. They break the installs into 3 categories: unpatched (21%), maybe patched (50%), and patched (29%).
Important: update Gitlab to the latest version
Since June or July, there are multiple recently published public exploits for this vulnerability, and it reportedly has been exploited in the wild. However, the exploitation will probably increase as details of the unauthenticated nature of this vulnerability become more widely known.
This is why it’s now critical to update to the latest version as soon as possible. It can even be safer to let GitLab be an internet facing service.
Do you need to access your GitLab from the internet? Consider placing it behind a VPN.
You might also like: Is your Cloud VPS prepared for DDoS attacks?