GitLab Password Security Vulnerability – CVE-2022-1162

Share :

On Thursday, March 31, 2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. GitLab is DevOps software that combines the ability to develop, secure, and operate software in a single application. The exploitation of CVE-2022-1162 can allow a threat actor to guess a hard-coded password for any GitLab account with relative ease.

GitLab claims that its investigation has shown no indication that users accounts on GitLab.com deployments have been compromised at this time. GitLab has reset passwords for select GitLab.com users despite no indication that the accounts have been compromised.

The root cause of CVE-2022-1162 is in the account registration process using an OmniAuth provider (e.g., OAuth, LDAP, SAML) where a hardcoded password is set with a predictable pattern that allows a threat actor to brute force a registered user’s password based on the pattern. It is important to note that only GitLab deployments where user accounts are created using an OmniAuth provider are in scope for being vulnerable to CVE-2022-1162. GitLab has created a script that self-managed instance admins can use to identify user accounts potentially impacted by CVE-2022-1162.

Recommendations

Recommendation #1: Patch Vulnerable Versions of GitLab Community Edition & Enterprise Edition

Arctic Wolf’s primary recommendation is to first determine if you’re running the affected versions of GitLab Community Edition/Enterprise Edition.

GitLab has indicated in their advisory that specific versions are affected by this vulnerability. We recommend reviewing the below to determine if you’re running any affected versions of this application in your environment and patch as soon as possible.

  • For Versions 14.7 to 14.7.6 – upgrade to 14.7.7
  • For Versions 14.8 to 14.8.4 – upgrade to 14.8.5
  • For Versions 14.9 to 14.9.1 – upgrade to 14.9.2

Recommendation #2: Identify & Reset Passwords for Affected Users

GitLab has provided a script to identify users potentially impacted by CVE-2022-1162 for self-managed instance administrators. After identifying the affected user accounts, Arctic Wolf strongly recommends to reset the user’s password.

References

Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter