January 24, 2024 at 01:01PM
Over 5,300 GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw enabling attackers to reset passwords and take over accounts. Despite not bypassing 2FA, it poses a significant risk to unprotected accounts. ShadowServer identifies vulnerable servers in the U.S., Germany, Russia, and other countries, urging immediate patching and security measures.
Based on the meeting notes, the key takeaways are as follows:
1. Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw impacting GitLab Community and Enterprise Edition versions 16.1 to 16.7.
2. The flaw allows attackers to send password reset emails to an attacker-controlled email address, enabling them to take over targeted accounts.
3. While the flaw does not bypass two-factor authentication, it poses a significant risk to accounts without 2FA.
4. GitLab has released fixes for the flaw in versions 16.1.6, 16.2.9, 16.3.7, 16.5.6, 16.6.4, and 16.7.2.
5. Threat monitoring service ShadowServer reports 5,379 vulnerable GitLab instances exposed online, with most in the United States, Germany, Russia, China, France, the U.K., India, and Canada.
6. The vulnerable servers are at risk of supply chain attacks, code disclosure, API key leaks, and other malicious activities.
7. Admins are advised to follow GitLab’s incident response guide, check for signs of compromise, and rotate all credentials, API tokens, certificates, and secrets if an instance has been compromised, in addition to enabling 2FA and applying the security update.
8. Following the security updates, admins should check for modifications in their developer environment, including source code and potentially tampered files.
9. It is crucial for admins to take action promptly, despite no confirmed active exploitation of CVE-2023-7028 to date.