The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added one new vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation found in the DevOps platform GitLab.
The vulnerability tracked as CVE-2023-7028 (CVSS score: 10) allows a threat actor to trigger password reset emails to be sent to arbitrary, unverified email addresses, ultimately facilitating an account takeover without user interaction.
Further, successful exploitation of the vulnerability could also lead to supply chain attacks by inserting malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments.
While those who have two-factor authentication (2FA) enabled are vulnerable to password reset, they are, however, not vulnerable to account takeover, as their second authentication factor is required to log in.
Hence, it is essential to patch systems where accounts are not protected with this additional security measure.
The CVE-2023-7028 bug discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) affects all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2.
The flaw was addressed in GitLab versions 16.7.2, 16.6.4, and 16.5.6, and patches were backported to versions 16.1.6, 16.2.9, and 16.3.7.
GitLab has said it did not detect any abuse of vulnerability CVE-2023-7028 on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.
However, the threat monitoring service, The Shadowserver Foundation, has found over 5,300 instances of GitLab servers being exposed to zero-click account takeover attacks in January (the week security patches were released), a number that has decreased by only 55% as of Tuesday.
The CISA has confirmed that the vulnerability CVE-2023-7028 is being actively exploited in attacks and asked the U.S. federal agencies to secure their systems until May 22, 2024, or discontinue the use of the product if mitigations are unavailable.
While the U.S. cybersecurity agency has not provided any information about the ongoing attacks, it did confirm that it has no evidence of the vulnerability being used in ransomware campaigns.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said on Wednesday.
Those Gitlab users who haven’t already patched should review their logs to check for possible attempts to exploit this vulnerability and follow GitLab’s incident response guide for solutions.
