GitLab has issued patches to rectify a severe vulnerability affecting both its Community Edition (CE) and Enterprise Edition (EE) versions, which could lead to an authentication bypass.
The flaw originates from a weakness in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), allowing attackers to authenticate as any user within the compromised system. The maintainers addressed this issue last week.
The root cause of the vulnerability lies in the library’s failure to adequately verify the SAML Response’s signature. SAML, or Security Assertion Markup Language, is a protocol enabling single sign-on (SSO) and facilitating the exchange of authentication and authorization details across various apps and sites.
“A threat actor with no authentication, but possessing a signed SAML document (issued by the Identity Provider), can forge a SAML Response or Assertion with arbitrary content,” as detailed in a security advisory. “This could permit the attacker to authenticate as any user within the affected system.”
This vulnerability also affects omniauth-saml, which subsequently released an update (version 2.2.1) that upgrades ruby-saml to version 1.17 to mitigate the risk.
GitLab’s latest patch updates the dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0. This covers versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.
As a precaution, GitLab strongly recommends that users of self-hosted environments enable two-factor authentication (2FA) for all accounts and deactivate the option to bypass SAML two-factor authentication.
While GitLab has not reported any known exploitation of this flaw in active attacks, it has shared indicators of potential or successful exploitation attempts, hinting that malicious actors could be attempting to exploit the vulnerability to access susceptible GitLab instances.
“Successful attempts to exploit this flaw will generate SAML-related log events,” GitLab explained. “In cases of successful exploitation, logs will record the extern_id value set by the attacker.”
“Unsuccessful attempts might cause a ValidationError from the RubySaml library, potentially triggered by the intricacies involved in crafting a working exploit.”
This development follows an announcement by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Among them is a recently disclosed critical bug in Apache HugeGraph-Server (CVE-2024-27348, CVSS score: 9.8), based on evidence of active exploitation.
Federal Civilian Executive Branch (FCEB) agencies are advised to address the listed vulnerabilities by October 9, 2024, to defend their networks against emerging threats.