GitLab has released a patch to address a critical flaw affecting Community Edition (CE) and Enterprise Edition (EE) that could lead to authentication bypass.
The vulnerability exists in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0) and could allow an attacker to log in as any user on a vulnerable system. The issue was addressed by maintainers last week.
The issue occurs because the library doesn’t properly validate the signature of the SAML response. SAML stands for Security Assertion Markup Language, a protocol that enables single sign-on (SSO) and the exchange of authentication and authorization data between multiple apps and websites.
According to the security advisory, “An unauthenticated attacker with access to the signed (by the IdP) SAML document can forge a SAML response/assertion containing arbitrary content, allowing the attacker to log in as any user within the vulnerable system.”
It’s also worth noting that this flaw also affects omniauth-saml, which has released its own update (version 2.2.1) to upgrade ruby-saml to version 1.17.
GitLab’s latest patch is designed to update the dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0, which includes versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.
As a mitigation measure, GitLab strongly encourages users of self-managed installations to enable two-factor authentication (2FA) for all accounts and disallow the SAML two-factor bypass option.
While GitLab has not stated that this flaw has been exploited in the wild, it has shown signs of attempted and successful exploitation, suggesting that threat actors may be actively attempting to leverage the vulnerability to gain access to susceptible GitLab instances.
“Successful attack attempts will trigger SAML-related log events,” the company said. “If an attack attempt is successful, the extern_id value set by the attacker attempting the attack will be logged.”
“When an exploit attempt fails, a ValidationError may be generated from the RubySaml library. This can happen for a variety of reasons related to the complexity of creating a working exploit.”
The development comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, including a recently disclosed critical bug (CVE-2024-27348, CVSS score: 9.8) affecting Apache HugeGraph-Server, based on evidence of active exploitation.
Federal Civil Administration Entities (FCEBs) are recommended to fix identified vulnerabilities by October 9, 2024, to protect their networks against active threats.