On Thursday, 31 March 2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. GitLab is DevOps software that combines the ability to develop, secure, and operate software in a single application. The exploitation of CVE-2022-1162 can allow a threat actor to guess a hard-coded password for any GitLab account with relative ease.
GitLab claims that its investigation has shown no indication that users accounts on GitLab.com deployments have been compromised at this time. GitLab has reset passwords for select GitLab.com users despite no indication that the accounts have been compromised.
The root cause of CVE-2022-1162 is in the account registration process using an OmniAuth provider (e.g., OAuth, LDAP, SAML) where a hardcoded password is set with a predictable pattern that allows a threat actor to brute force a registered user’s password based on the pattern. It is important to note that only GitLab deployments where user accounts are created using an OmniAuth provider are in scope for being vulnerable to CVE-2022-1162. GitLab has created a script that self-managed instance admins can use to identify user accounts potentially impacted by CVE-2022-1162.
Recommendation #1: Patch Vulnerable Versions of GitLab Community Edition & Enterprise Edition
Arctic Wolf’s primary recommendation is to first determine if you’re running the affected versions of GitLab Community Edition/Enterprise Edition.
GitLab has indicated in their advisory here that specific versions are affected by this vulnerability. We recommend reviewing the below to determine if you’re running any affected versions of this application in your environment and patch as soon as possible.
- For Versions 14.7 to 14.7.6 - upgrade to 14.7.7
- For Versions 14.8 to 14.8.4 - upgrade to 14.8.5
- For Versions 14.9 to 14.9.1 - upgrade to 14.9.2
Recommendation #2: Identify & Reset Passwords for Affected Users
GitLab has provided a script (here) to identify users potentially impacted by CVE-2022-1162 for self-managed instance administrators. After identifying the affected user accounts, Arctic Wolf strongly recommends to reset the user’s password.
- MITRE CVE-2022-1162: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1162
- GitLab Advisory for CVE-2022-1162: https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/
- GitLab Reset Password Article: https://docs.gitlab.com/ee/security/reset_user_password.html#reset-a-users-password